Microsoft Patch Tuesday Analysis – April 2026

Executive Summary

On Tuesday, April 14, 2026, Microsoft released its monthly security patch, addressing 165 vulnerabilities across its products.

By severity level:

• Important - 154;
• Critical - 8;
• Low - 1;
• Moderate - 2.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Special attention should be paid to the following 2 vulnerabilities. Patching them is the highest priority:

• CVE-2026-32201 (CVSS 6.5; Important) - Microsoft SharePoint Server Spoofing Vulnerability (Spoofing). A vulnerability in Microsoft SharePoint Server caused by improper input validation (CWE-20). It allows a remote, unauthenticated attacker to execute a spoofing attack over the network without user interaction. Successful exploitation enables the attacker to gain access to confidential information and modify it without disrupting the server's overall availability.
• CVE-2026-33825 (CVSS 7.8; Important) - Microsoft Defender Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the Microsoft Defender Antimalware Platform caused by insufficient access control granularity (CWE-1220). A local authenticated attacker with low privileges can exploit incorrect permissions restrictions in platform components (including the MsMpEng.exe user process and associated kernel drivers) to seize full control of the system with SYSTEM-level privileges.

General Trends

The April 2026 Patch Tuesday has proven to be truly record-breaking and challenging for IT administrators: Microsoft released fixes for a colossal 165 vulnerabilities. This massive release more than doubles last month's figures and brings us back to the peak values seen last autumn. Such a vast volume of updates indicates a global cleanup of the codebase ahead of the spring OS releases. Key trends for April include:

• Attacks on security and trust systems: Of particular concern is the publicly disclosed vulnerability in Microsoft Defender itself (CVE-2026-33825). Using an antimalware platform for privilege escalation is a classic example of protection tools becoming an attack vector. Coupled with mass fixes for Security Feature Bypasses involving Windows Hello, BitLocker, Secure Boot, Boot Manager, and Windows Shell, this suggests that attackers are actively seeking ways to disable or circumvent core Windows defense mechanisms.
• Active exploitation of corporate portals: Active exploitation of the spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) has been confirmed. Despite a medium CVSS score (6.5), the fact that it is being used in real-world attacks makes it critically dangerous for the corporate sector, as it allows attackers to stealthily manipulate data and bypass authentication mechanisms.
• Fundamental network threats (RCE): This month closes a number of critical Remote Code Execution (RCE) vulnerabilities in core network components of the OS. The fixes affect the TCP/IP stack, IKE (IPsec) service, Active Directory, SQL Server, and Remote Desktop Client. Bugs in such low-level and network protocols traditionally open the door to self-propagating threats (worms) and mass infrastructure compromise.
• Total dominance of Elevation of Privilege (EoP): Out of 165 fixes, the lion's share is aimed at patching local privilege escalation holes. Dozens of components were affected: from AFD, UPnP, and Projected File System drivers to DWM and Win32k. This highlights that once the initial perimeter is breached, attackers have a massive arsenal at their disposal to gain full rights (SYSTEM) on unpatched machines.
• The ongoing Office crisis: The Microsoft Office suite (including Word and Excel) received yet another batch of RCE fixes. This confirms that malicious documents remain one of the primary payload delivery tools in phishing campaigns.

Complete Vulnerability List

Below is a table detailing all vulnerabilities patched this month.

Retrospective Vulnerability Analysis

• CVE-2026-20820 — Windows Common Log File System Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A heap-based buffer overflow vulnerability in the CLFS file system driver that allows a local attacker to escalate privileges to the SYSTEM level. Exploitation is carried out by creating a log container and sending a specially crafted IOCTL request with a buffer that violates memory boundaries (Out-of-Bounds write). A public PoC is available demonstrating the overflow mechanism. The vulnerability was patched in January 2026.

• CVE-2026-21509 — Microsoft Office Security Feature Bypass Vulnerability (Security Feature Bypass). This vulnerability is related to the improper reliance on input validation when making security decisions (CWE-807). An attacker can create a specially crafted DOCX document with an embedded OLE object in which the Class ID (CLSID) is modified. This allows for a local bypass of Office security features, forcing the application to initialize potentially dangerous components (such as Shell.Explorer) without proper verification. A Python PoC is available that automates the creation of the malicious document by patching the OLE file headers. Patched in January 2026.

• CVE-2026-20929 — Windows HTTP.sys Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the HTTP.sys driver and Kerberos authentication components that allows for a CNAME Abuse technique to conduct Kerberos Relay attacks. The issue lies in improper access rights validation and the behavior of the Kerberos client: upon receiving a CNAME DNS record, the Windows client trusts the alias and forms a TGS request using the hostname from the CNAME as the SPN. This allows an attacker in a DNS MITM position (e.g., via IPv6/DHCPv6) to force any domain user to request a Kerberos ticket for a service chosen by the attacker and redirect it to nodes where Channel Binding (CBT) or signing enforcement is not configured. An extended PoC is available on GitHub featuring CNAME poisoning functions, which allows for SYSTEM-level privilege acquisition. The vulnerability was patched in January 2026.

• CVE-2026-24289 — Windows Kernel Elevation of Privilege Vulnerability (Elevation of Privilege). A Use-After-Free (UAF) vulnerability in the Windows kernel (ntoskrnl.exe) arising from a race condition during I/O Completion Ports (IOCP) processing. The issue is that the IopCompleteRequest function reads the completion context from the file object without acquiring the necessary spin lock, allowing a local attacker to free or replace this context right while it is being used via a parallel NtSetInformationFile call. Successful exploitation allows for privilege escalation in the system to the SYSTEM level. The published PoC demonstrates the race mechanism, resulting in a fatal system crash (BSOD) with error code 0x18 (REFERENCE_BY_POINTER) on vulnerable builds. The vulnerability was patched in March 2026.

• CVE-2026-24291 — Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability (Elevation of Privilege). A logical vulnerability, dubbed "RegPwn", related to the incorrect assignment of access rights to registry keys (CWE-732) used by the ATBroker.exe process. When the system transitions into "Secure Desktop" mode (e.g., when locking the screen or prompting a UAC window), the system process copies configuration data from registry branches that are normally writeable by a standard user. Using registry symbolic links and opportunistic locks (oplocks) on the oskmenu.xml file, a local attacker can redirect the write operation to modify critical system parameters (such as a service's ImagePath), allowing arbitrary code execution with SYSTEM privileges. The vulnerability was patched in March 2026.

• CVE-2026-23671 — Windows Bluetooth RFCOMM Protocol Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A race condition vulnerability in the Bluetooth RFCOMM protocol driver (bthport.sys) that allows a local attacker to escalate privileges to the SYSTEM level. The flaw lies in improper synchronization of access to channel objects (TOCTOU), making it possible to spoof the channel descriptor in the short window between access rights verification and operation execution. A public BlueSploit PoC module by researcher v33ru is available, demonstrating the attack using the SABM flood method to seize the system security context. The vulnerability was patched in March 2026.

Conclusion

The April 2026 update is a critical event requiring maximum concentration and immediate action from IT departments. The massive number of patches (165) will require careful deployment planning and testing; however, the process cannot be delayed due to the presence of actively exploited flaws and fundamental network threats.

Patching priorities for April:

1. Immediate response (Zero-Days): Roll out updates to SharePoint servers to block the actively exploited CVE-2026-32201. Additionally, urgently update the Microsoft Defender platform (CVE-2026-33825) to prevent the antivirus from being used against the system itself.
2. Network perimeter and infrastructure protection: Critical RCEs in the IKE, TCP/IP, and Active Directory services are a "nightmare" scenario for network administrators. Internet-facing servers (especially VPN and IPsec gateways) and Domain Controllers must be updated on the very first night.
3. Endpoint protection: Install patches for components responsible for bypassing security (Windows Shell, SmartScreen, BitLocker), and update the Microsoft Office suites to neutralize attack vectors via phishing and malicious links.

It is also highly recommended to carefully review the "Retrospective Vulnerability Analysis" section. The emergence of powerful public exploits for March and February vulnerabilities (such as Kerberos CNAME Abuse, RegPwn for ATBroker, and kernel overflows) means that attackers have already automated attacks on systems that were not updated in the first quarter of 2026. Addressing your technical debt regarding patches is absolutely vital right now.