Microsoft Corporation released its monthly security update for April 2026 today, addressing a total of 167 vulnerabilities. This release marks one of the most extensive patching cycles in recent years, focusing on critical infrastructure components and core services. Among the addressed flaws are two zero-day vulnerabilities that Microsoft confirmed were being actively exploited in the wild prior to the release of these patches. The update covers a wide range of products, including Windows 11, Windows Server 2025, Microsoft Office, and the Azure cloud platform.
The two zero-day vulnerabilities, identified as CVE-2026-29841 and CVE-2026-30112, involve a privilege escalation flaw in the Windows Kernel and a critical remote code execution vulnerability in Microsoft Defender. According to Microsoft's Security Response Center (MSRC), CVE-2026-29841 allowed attackers to gain SYSTEM-level privileges on affected workstations. The second zero-day, CVE-2026-30112, permitted malicious actors to execute arbitrary code by exploiting the way Defender scans specifically crafted files. Microsoft noted that limited, targeted attacks using these vulnerabilities had been observed by its Threat Intelligence team prior to today's patch release.
Beyond the zero-days, the April update includes 14 vulnerabilities classified as Critical due to their potential for Remote Code Execution (RCE). A significant flaw in the Windows TCP/IP stack, CVE-2026-28775, could allow an unauthenticated attacker to execute code with elevated privileges by sending specially crafted IPv6 packets. Additionally, Microsoft SharePoint Server received patches for three RCE vulnerabilities, CVE-2026-28901 through CVE-2026-28903, that could allow an authenticated user with Site Owner permissions to execute arbitrary code on the server. These flaws are particularly concerning for organizations hosting internal collaboration portals.
Security researchers highlighted several fixes for Active Directory Domain Services, specifically addressing a denial-of-service vulnerability that could disrupt authentication services across enterprise networks. The update also includes patches for 42 flaws in the Microsoft Edge browser and 12 vulnerabilities in SQL Server. Microsoft advised system administrators to prioritize the deployment of these updates, particularly for internet-facing SharePoint servers and Domain Controllers, to mitigate the risk of lateral movement within corporate environments. The volume of patches this month reflects ongoing efforts to harden legacy components against modern exploitation techniques.
As of April 22, 2026, Microsoft has integrated these fixes into the standard Windows Update delivery system. The company stated that no significant downtime was reported during the initial rollout phase, though some enterprise users may experience reboot requirements for core kernel updates. This Patch Tuesday follows a trend of increasing vulnerability counts as Microsoft expands its cloud and hybrid identity services. Technical documentation released alongside the patches provides specific mitigation steps for organizations unable to apply the updates immediately, including disabling certain IPv6 features to protect against the TCP/IP flaw.