April 2026 Patch Tuesday: 163 CVEs Patched, SharePoint Zero-Day Exploited in the Wild, BlueHammer PoC Published
Contents
Microsoft patched 163 CVEs in the April 15, 2026 Patch Tuesday release. Including Chromium-based Edge/browser vulnerabilities, the total reaches roughly 247. Tenable senior research engineer Satnam Narang called it “the second-largest Patch Tuesday release in Microsoft’s history.”
The breakdown is 8 Critical, 154 Important, and 1 Moderate, with about 60 of those being browser-related. Security researchers attribute the inflated count to AI-accelerated vulnerability discovery. Rapid7’s Adam Barnett noted that “as AI models continue to expand in both capability and adoption, we should expect further increases in vulnerability report volume.” ZDI’s vulnerability submission rate has nearly tripled year-over-year.
Here are the CVEs from this release that demand urgent attention or are technically noteworthy.
SharePoint Server Zero-Day CVE-2026-32201, Actively Exploited
| Field | Details |
|---|---|
| Product | SharePoint Server 2016 / 2019 / Subscription Edition |
| Type | Spoofing (XSS) |
| CVSS | 6.5 |
| Authentication | Not required |
| Exploitation | Confirmed in-the-wild / CISA KEV listed |
This is an XSS via insufficient input sanitization, exploitable over the network without authentication. The CVSS score of 6.5 looks low on paper, but it is already being used in real attacks and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Action1’s Mike Walters warns that the flaw “enables phishing attacks, unauthorized data manipulation, and social engineering attack campaigns that could lead to further compromise.” Internet-facing SharePoint servers should be patched as a priority.
BlueHammer CVE-2026-33825, Windows Defender LPE with Public PoC
| Field | Details |
|---|---|
| Product | Windows Defender (Microsoft Defender) |
| Type | Local Privilege Escalation (EoP) |
| CVSS | 7.8 |
| Exploitation | Full PoC published before patch; no confirmed in-the-wild exploitation |
In early April 2026, a researcher going by “Chaotic Eclipse” (a.k.a. “Nightmare Eclipse”) published a fully functional Windows LPE exploit on GitHub. The release was reportedly motivated by frustration with Microsoft’s slow response after responsible disclosure.
The attack chain is technically interesting. It repurposes Windows Defender’s signature update workflow as a credential-theft mechanism in five stages:
graph TD
A[VSS Abuse<br/>Force Defender to create snapshot] --> B[Timing Attack<br/>Halt Defender processing at precise moment]
B --> C[Registry Access<br/>Extract SAM hive from VSS snapshot]
C --> D[Credential Theft<br/>Dump NTLM hashes from local accounts]
D --> E[Privilege Escalation<br/>Spawn SYSTEM process via CreateService API]The root cause is an unexpected interaction between the Cloud Files API and Volume Shadow Copy Services (VSS). The technique of extracting SAM hives from VSS snapshots and decrypting NTLM hashes is a well-known approach among Windows security researchers; the novelty here is executing it within Defender’s privileged context.
Once NTLM hashes are obtained, an attacker can use pass-the-hash attacks to move laterally into other systems on the internal network. Registering a malicious Windows service enables persistence across reboots. On server editions, the exploit yields administrator privileges; on client operating systems (Windows 10/11), it achieves SYSTEM.
Tharros’ Will Dormann confirmed that the published PoC stopped working after the April 14 patch. However, Cyderes Howler researchers Rahul Ramesh and Reegun Jayapaul demonstrated a modified version. Since Defender’s signatures only detect the original binary, recompilation was enough to bypass detection.
Wormable High-CVSS CVEs
This release includes two CVEs scoring 9.0 or above:
| CVE | Component | CVSS | Type |
|---|---|---|---|
| CVE-2026-33824 | Windows IKE Service Extensions | 9.8 | RCE |
| CVE-2026-26149 | Microsoft Power Apps | 9.0 | Security Bypass |
CVE-2026-33824 (IKE RCE) is an unauthenticated remote code execution that is wormable, meaning a compromised system can autonomously spread the exploit to other systems. Blocking UDP 500/4500 prevents external access, but does not help against lateral movement inside the network. IKE is the key exchange protocol for IPsec VPN and is widely deployed in enterprise environments.
CVE-2026-33827 (TCP/IP RCE, CVSS 8.1) is also wormable and matches an attack pattern demonstrated at Pwn2Own 2026. It targets IPv6/IPSec environments.
Other notable CVEs at CVSS 8.0 and above:
| CVE | Component | CVSS | Type |
|---|---|---|---|
| CVE-2026-32171 | Azure Logic Apps | 8.8 | EoP |
| CVE-2026-32157 | Remote Desktop Client | 8.8 | RCE |
| CVE-2026-33120 | SQL Server | 8.8 | RCE |
| CVE-2026-26178 | Windows Advanced Rasterization | 8.8 | EoP |
| CVE-2026-27928 | Windows Hello | 8.7 | Security Bypass |
| CVE-2026-32190 | Microsoft Office | 8.4 | RCE |
| CVE-2026-33114 | Microsoft Word | 8.4 | RCE |
| CVE-2026-33115 | Microsoft Word | 8.4 | RCE |
| CVE-2026-33827 | Windows TCP/IP | 8.1 | RCE (Wormable) |
| CVE-2026-33826 | Windows Active Directory | 8.0 | RCE (Likely exploitable) |
Related Chrome and Adobe CVEs
Chrome CVE-2026-5281 (Dawn use-after-free, CVSS 8.8) was the fourth Chrome zero-day of 2026, patched in early April. See “Chrome 146’s Dawn use-after-free is the fourth Chrome zero-day exploited in the wild in 2026” for details.
Adobe Acrobat CVE-2026-34621 (CVSS 8.6) has been actively exploited since at least November 2025, with an emergency patch (APSB26-43) released on April 11. See “Adobe Acrobat Reader patches actively exploited zero-day (CVE-2026-34621 / APSB26-43)” for details.
The AI-Driven Discovery Factor
Krebs’ report also drew attention to the backdrop behind the rising numbers. The ~60 browser vulnerabilities largely reflect Chromium maintainers incorporating reports from a wider pool of researchers, but the near-tripling of ZDI submission rates is hard to separate from the proliferation of AI-powered fuzzing and vulnerability analysis tools.
Finding and fixing vulnerabilities before attackers can weaponize them is welcome, but the operational burden of processing 163 CVEs in a single monthly patch cycle keeps growing. Expect similar volumes going forward.
This Month’s Windows Update Issues
Every Patch Tuesday in 2026 has brought boot-related issues. January’s KB5074109 caused UNMOUNTABLE_BOOT_VOLUME BSODs that left PCs unbootable. February brought black screens and reboot loops on GPU-equipped machines. March produced 10-to-20-minute reboot loops and BSODs (ATTEMPTED_WRITE_TO_READONLY_MEMORY).
| Month | KB | Main Issue |
|---|---|---|
| January | KB5074109 | UNMOUNTABLE_BOOT_VOLUME BSOD, unbootable. Recovery via WinRE required |
| February | KB5077181 | Black screen / reboot loop on GPU-equipped PCs, Wi-Fi failures |
| March | KB5079473 | Reboot loop every 10-20 minutes, BSOD. On Samsung PCs, caused by Galaxy Connect app conflict |
April’s KB5083769 (Windows 11 24H2/25H2) has been relatively stable so far, with no widespread reports of boot loops or BSODs. One known issue affects specific BitLocker Group Policy configurations (PCR7 + Windows UEFI CA 2023 certificate in Secure Boot DB), where the BitLocker recovery key prompt appears after the first reboot. It does not recur on subsequent reboots, and a Known Issue Rollback (KIR) has been issued for enterprise environments. Home users are unlikely to be affected.
Windows 10’s KB5082200 (22H2 ESU) has no known issues. It actually fixes a previous bug that triggered BitLocker recovery screens on Intel Connected Standby devices.
For patching priority: start with SharePoint CVE-2026-32201 (actively exploited, KEV-listed) and BlueHammer CVE-2026-33825 (public PoC), then address the wormable IKE CVE-2026-33824 (CVSS 9.8).