April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs

On April 2026 Patch Tuesday, Microsoft addressed 164 security vulnerabilities, including two zero-day vulnerabilities and eight critical ones, representing a significant increase from the previous month. The patch release prioritized issues such as elevation of privilege, remote code execution, and information disclosure, with Microsoft Windows receiving the majority of patches. One zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2026-32201, allows unauthenticated remote attackers to perform spoofing due to improper input validation, while another in Microsoft Defender, CVE-2026-33825, involves elevation of privilege through insufficient access control. Critical vulnerabilities included those affecting Windows TCP/IP, Internet Key Exchange Service Extensions, Remote Desktop Client, Microsoft Office, and Active Directory, each allowing potential remote code execution. Microsoft provided official fixes for these vulnerabilities, but also emphasized the importance of mitigation strategies for unpatched vulnerabilities. The CrowdStrike Falcon platform offers tools to help organizations effectively manage and prioritize these security risks.