TheCyberThrone | Vulnerability Advisory | April 15, 2026
Volume & Scale — A Near-Record Release
Microsoft patched 163 CVEs in the April 2026 Patch Tuesday release — the second largest Patch Tuesday on record, approaching the benchmark set by the October 2025 cycle with 167 CVEs.The breakdown: eight Critical-severity vulnerabilities and 154 rated Important, alongside one publicly disclosed zero-day and one vulnerability already being exploited in the wild.
An additional 80 vulnerabilities in Microsoft Edge (Chromium-based) were patched earlier in the month, bringing the aggregate exposure surface for April to well over 240 flaws across the Microsoft ecosystem alone.
The Zero-Days — Both Demand Immediate Action
CVE-2026-33825 — Microsoft Defender Elevation of Privilege (Publicly Disclosed)
An insufficient access-control granularity flaw in Windows Defender allows an authenticated attacker to elevate local privileges. Insufficient granularity of access control occurs when security policies are too broad, permitting authorized users to exceed their intended permissions.
This flaw was publicly disclosed prior to a patch being made available and appears to match a zero-day exploit known as “BlueHammer,” with exploit code posted to GitHub on April 3rd by a researcher using the alias “Chaotic Eclipse,” who expressed concern about Microsoft’s handling of the vulnerability disclosure process.The CVSSv3 score is 7.8, rated Important. The public PoC significantly elevates the urgency — treat this as a Priority 1 patch regardless of the Important rating.
CVE-2026-32201 — Microsoft SharePoint Server Spoofing (Actively Exploited in the Wild)
An improper input validation vulnerability in Microsoft Office SharePoint may allow an unauthenticated attacker to perform network spoofing. CISA has acknowledged active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog, urging users to patch before April 28, 2026.
This vulnerability received a CVSSv3 score of 6.5. The CISA KEV listing is unambiguous — SharePoint environments facing the internet need emergency patching. The spoofing vector, combined with unauthenticated access, creates a realistic pre-authentication persistence foothold. Federal agencies are bound by BOD 22-01; all others should treat the April 28 deadline as a hard ceiling, not a recommendation.
Critical Severity CVEs — Eight Flaws, Seven RCEs
Of the eight Critical vulnerabilities, seven are remote code execution flaws and one is a denial-of-service vulnerability.
CVE-2026-33827 — Windows TCP/IP Remote Code Execution
A race condition flaw in Windows TCP/IP may allow an unauthenticated attacker to execute code over a network. An attacker can send a specially crafted IPv6 packet to a Windows node with IPSec enabled, leading to remote code execution. This is the most dangerous architectural flaw in this release — unauthenticated, network-reachable, targeting core protocol stack. Organizations running IPv6 with IPSec for VPN or east-west segmentation are directly in scope. Prioritize this across all Windows Server and endpoint fleets.
CVE-2026-33824 — Windows IKE Service Extensions RCE
An unauthenticated attacker could send specially crafted packets to a Windows machine with Internet Key Exchange version 2 enabled, potentially leading to remote code execution. Additional mitigations can include blocking inbound IKEv2 traffic at the perimeter as a compensating control pending patch deployment. Environments using native Windows VPN infrastructure are directly exposed.
CVE-2026-33826 — Windows Active Directory RCE
This flaw received a CVSSv3 score of 8.0, was rated Critical, and was assessed as “Exploitation More Likely” by Microsoft’s Exploitability Index. An improper input validation flaw in Windows Active Directory could allow an authenticated attacker to execute code on an adjacent network via a specially crafted RPC call to an RPC host. Authenticated-but-adjacent RCE on AD is effectively a domain compromise enabler. Any threat actor with a foothold on the network can weaponize this.
CVE-2026-32157 — Remote Desktop Client RCE
A use-after-free flaw in the Remote Desktop Client may allow an unauthenticated attacker to execute code over the network. Successful exploitation requires an authenticated user on the client to connect to a malicious server. The attack scenario is a classic adversary-in-the-middle or rogue RDP server setup — particularly relevant in phishing campaigns that distribute .rdp files.
CVE-2026-32190 — Microsoft Office RCE
A use-after-free vulnerability in Microsoft Office may allow an unauthenticated attacker to execute code locally. The attacker is remote but the attack is carried out locally — code from the local machine needs to be executed to exploit the vulnerability. Standard document-borne delivery vector. Patch immediately across all Office/M365 endpoints.
CVE-2026-33114 & CVE-2026-33115 — Microsoft Word RCE (Two Flaws)
CVE-2026-33114 is a pointer dereference vulnerability in Microsoft Word allowing an unauthenticated attacker to execute code locally. CVE-2026-33115 is a use-after-free vulnerability in Office Word with the same impact. Two Critical Word RCEs in a single patch cycle is unusual and should elevate concern around macro-less document exploitation techniques.
CVE-2026-23666 — .NET Framework Denial of Service
A race condition flaw in the .NET Framework could allow an unauthenticated attacker to deny service to network clients. The only non-RCE Critical this month — relevant for API-heavy or backend service environments built on .NET.
Notable Important-Severity Highlights
Several Important-rated CVEs carry outsized real-world risk:
CVE-2026-32162 — Windows COM EoP — An unauthenticated attacker can gain SYSTEM privileges. Unauthenticated EoP to SYSTEM via COM is a significant design concern and likely to be chained with existing weaponized exploits quickly.
CVE-2026-27913 — Windows BitLocker Security Feature Bypass — Improper input validation allows an unauthenticated attacker to bypass BitLocker locally. On endpoints with full disk encryption as the primary data-at-rest control, this is a data exposure event waiting to happen on stolen/lost devices.
CVE-2026-0390 — Windows Boot Loader Security Feature Bypass — Authenticated attacker bypasses a local security feature. Secure Boot chain-of-trust bypass — relevant for any organization relying on TPM/Secure Boot as a hardware root-of-trust.
CVE-2026-27906 — Windows Hello Security Feature Bypass — Authenticated bypass of biometric/PIN authentication. Has implications for passwordless deployment architectures.
CVE-2026-32070 — Windows CLFS Driver EoP — Use-after-free enables SYSTEM privileges. CLFS (Common Log File System) has been a recurring ransomware escalation vehicle since 2022 — this pattern continues.
CVE-2026-27908 & CVE-2026-27921 — Windows TDI Translation Driver EoP (×2) — Two separate use-after-free flaws in tdx.sys that both lead to SYSTEM privileges. Dual flaws in the same driver suggest insufficient code review depth in this component.
CVE-2026-32152 & CVE-2026-32154 — Desktop Window Manager EoP (×2) — SYSTEM privilege escalation via use-after-free in DWM. DWM runs as a session process — post-exploitation tool-friendly.
CVE-2026-26151 — Remote Desktop Spoofing — Unauthenticated network spoofing via RDP. Pairs dangerously with the RDP client RCE (CVE-2026-32157) in the same release.
CVE-2026-32225 — Windows Shell Security Feature Bypass — Unauthenticated network security feature bypass. Shell-level bypass accessible without credentials is a defense evasion primitive.
Windows 11 Cumulative Updates
Microsoft released KB5083769 for Windows 11 versions 24H2 and 25H2, bumping builds to 26100.8246 and 26200.8246 respectively. Windows 11 version 23H2 receives KB5082052, moving to Build 22631.6936.
Notable functional changes in this release beyond security patches:
Microsoft is adding better visibility into Secure Boot certificate updates, with status alerts inside the Windows Security app — disabled by default on commercial devices — alongside improvements to how devices receive new Secure Boot certificates via phased rollout.
An issue where some devices unexpectedly entered BitLocker Recovery after Secure Boot updates has been resolved. On the networking side, SMB compression over QUIC reliability is improved, reducing timeouts during file transfers. For Remote Desktop, opening .rdp files will now display all connection settings upfront with everything disabled by default, and a one-time security warning will appear to reduce phishing risk from malicious RDP files.
The RDP hardening change in KB5083769 is directly responsive to the threat modeled by CVE-2026-32157 — a welcome defensive design decision.
Analyst Verdict
April 2026 is not a month to let patch cycles slip. The combination of a public PoC against a security product (Defender), active exploitation of SharePoint at scale, and a TCP/IP stack RCE reachable without authentication via IPv6 creates a three-vector attack surface that threat actors — particularly ransomware operators and state-sponsored groups — will move on fast. The EoP dominance across 93 CVEs means any initial access, regardless of privilege level, becomes a full compromise vector within this unpatched ecosystem.
The BlueHammer disclosure controversy (researcher public drop after disputed responsible disclosure timeline) is also a signal that Microsoft’s patch-researcher communication pipeline is under strain — expect more researcher-disclosed 0-days in this disclosure climate going forward.
Patch. Verify. Scan.
Nice write up.