Microsoft Corporation released its comprehensive security update for April 2026 today, addressing a total of 167 vulnerabilities across its software ecosystem. This monthly Patch Tuesday rollout is one of the largest in recent years by volume and includes fixes for two zero-day vulnerabilities that Microsoft confirms are currently being exploited in the wild. Of the 167 flaws identified, eight are classified as critical, while 158 are rated as important and one is considered moderate in severity.
The first zero-day vulnerability, identified as a remote code execution flaw within Microsoft SharePoint, allows unauthenticated attackers to execute arbitrary code on affected servers. According to Microsoft’s Security Response Center, the exploit involves a bypass of existing validation checks in the SharePoint Server API. This vulnerability affects SharePoint Server 2019, SharePoint Server Subscription Edition, and several legacy versions still in extended support. Security researchers noted that successful exploitation could lead to full compromise of corporate intranets and sensitive document repositories.
The second actively exploited zero-day involves a security feature bypass in Microsoft Defender, the company’s primary antivirus and endpoint protection suite. This flaw allows attackers to disable specific real-time monitoring components or evade detection during the deployment of secondary malware payloads. Microsoft reported that this vulnerability has been observed in targeted attacks against enterprise environments. The update addresses the issue by hardening the communication channel between the Defender kernel-mode driver and the user-mode service.
In addition to the zero-days, the April 2026 update includes eight critical vulnerabilities. These primarily consist of remote code execution flaws in the Windows Network Stack and the Windows Kernel. One notable critical fix addresses a vulnerability in the Windows Remote Procedure Call runtime, which could allow an attacker to trigger code execution over the network without user interaction. This specific flaw carries a Common Vulnerability Scoring System score of 9.8, indicating a high level of risk for systems exposed to the internet.
Other affected services in this month’s release include Microsoft Office 365, Azure IoT Edge, and the Microsoft Edge browser. The update also provides patches for 24 elevation of privilege vulnerabilities and 31 information disclosure flaws. Microsoft has urged system administrators to prioritize the deployment of these patches, particularly for internet-facing SharePoint servers and endpoints running Microsoft Defender. The company noted that while the volume of patches is high, the cumulative nature of the updates ensures that all previous security improvements are included in the April 2026 deployment.