Microsoft released its comprehensive April 2026 Patch Tuesday security updates today, April 21, 2026, addressing a total of 168 vulnerabilities across its product portfolio. This monthly update cycle is notable for its volume and the inclusion of two zero-day vulnerabilities, one of which is currently being exploited in active attacks. The release covers security gaps in Windows, Microsoft Office, SharePoint Server, Azure, .NET, and Microsoft Defender.
Of the 168 vulnerabilities documented, 15 are categorized as Critical, 152 as Important, and one as Moderate. The most significant concern for security administrators is CVE-2026-28901, a remote code execution vulnerability in Microsoft SharePoint Server. Microsoft confirmed that this flaw is being actively exploited in the wild. An attacker with Site Owner permissions can leverage this vulnerability to execute arbitrary code on the server by sending a specifically crafted API request. This zero-day poses a high risk to organizations using on-premises SharePoint environments, as it allows for deep lateral movement within corporate networks once initial access is gained.
The second zero-day vulnerability, CVE-2026-27755, affects Microsoft Defender. While Microsoft has not yet detected active exploitation of this flaw, the technical details were publicly disclosed before a patch was available, increasing the likelihood of future attacks. This vulnerability is classified as a security feature bypass. It allows an attacker to evade the Defender scanning engine, potentially permitting the execution of malicious files that would otherwise be quarantined. The fix applies to Microsoft Defender versions prior to 4.18.2604.5, and the update is being delivered through the standard Microsoft Malware Protection Center engine updates.
In addition to the zero-days, the April 2026 update addresses 15 critical vulnerabilities. Among these is CVE-2026-28112, a remote code execution flaw in Windows Hyper-V. This vulnerability allows a user on a guest virtual machine to escape the sandbox and execute code on the host operating system, a scenario that presents significant risks for cloud service providers and data centers. Furthermore, the update resolves 24 elevation of privilege vulnerabilities within the Windows Kernel and 18 information disclosure flaws affecting various Windows components.
The scope of this update cycle extends to Windows 11 versions 23H2 and 24H2, Windows 10 version 22H2, and Windows Server versions 2016 through 2025. Microsoft has also issued patches for Azure Site Recovery and Azure File Sync to address vulnerabilities that could lead to unauthorized data access. Microsoft official statements recommend that organizations prioritize the SharePoint Server patch and ensure that the Microsoft Defender engine is updated to the latest version immediately. While Azure cloud services remained operational during the rollout, local system administrators should expect required reboots for Windows and Server installations to complete the patching process.