Microsoft April 2026 Patch Tuesday: 164 CVEs, Windows RCE Zero-Day

Microsoft released its April 2026 Patch Tuesday update fixing 164 CVEs — the largest single Patch Tuesday release of 2026 so far. Eight are rated Critical. One is confirmed actively exploited in the wild. One was publicly disclosed before the patch dropped.

If your Windows systems have not applied the April 2026 cumulative update, you have an unauthenticated remote code execution vulnerability in your TCP/IP stack sitting open on every internet-facing Windows server.

The Critical Patch: CVE-2026-33827

CVE-2026-33827 is a remote code execution vulnerability in the Windows TCP/IP stack with a CVSS score of 8.1. The critical detail: unauthenticated. An attacker with network access to a vulnerable system does not need credentials, a user to click anything, or any prior foothold. They send a specially crafted packet to the TCP/IP stack and achieve code execution.

The affected attack surface is every Windows Server and Windows 10/11 system with network exposure. In a typical enterprise, that means domain controllers, file servers, web servers, and any Windows machine reachable from the network perimeter.

The CVSS 8.1 score reflects that the attack complexity is rated Medium — exploitation requires specific network conditions but not user interaction. In practice, researchers are already producing working proof-of-concept code. Expect weaponised exploits in active campaigns within 7-14 days of patch release.

Patch priority: immediate, out-of-cycle if needed. Do not wait for monthly patch windows. Domain controllers and internet-facing Windows servers first.

The Actively Exploited Zero-Day

One CVE in this Patch Tuesday was confirmed exploited in the wild before Microsoft released the fix. Microsoft has not released full technical details to prevent widening the exploitation window, but the vulnerability is in a Windows core component that handles authentication tokens.

The exploitation pattern matches targeted attack campaigns — not yet mass exploitation. That means the initial victims are high-value targets: financial institutions, defence contractors, government agencies. Mass exploitation typically follows 2-4 weeks after a targeted zero-day becomes public.

The patch for the actively exploited zero-day is in the April 2026 cumulative update. There is no standalone fix — you apply the full cumulative update.

The Full Critical CVE List

Eight CVEs are rated Critical in the April 2026 release:

CVE-2026-33827 — Windows TCP/IP RCE (CVSS 8.1): Unauthenticated network RCE. Patch immediately.

Windows Hyper-V RCE (two CVEs): Hypervisor escape vulnerabilities. Critical for cloud and virtualisation infrastructure. An attacker inside a guest VM can potentially escape to the host. If you run Hyper-V in production, these are priority patches alongside CVE-2026-33827.

Microsoft SharePoint Server RCE: Authenticated RCE in SharePoint. Requires an attacker with at least Site Member permissions. Lower urgency than unauthenticated CVEs but still Critical — patch within 48 hours for internet-exposed SharePoint.

Windows DNS Server RCE: Critical for organisations running Windows DNS. An attacker who can send crafted DNS queries achieves code execution on the DNS server. This is a significant lateral movement risk once an attacker is inside the network perimeter.

Azure-related CVEs (two): Microsoft is patching Azure-side components. These are handled automatically by Microsoft for Azure-hosted services — no customer action required for PaaS/SaaS. Azure IaaS customers running Windows Server VMs need to apply the cumulative update.

Microsoft Edge (Chromium) Critical: Browser RCE via a crafted webpage. Microsoft Edge auto-updates but enterprise environments with delayed update policies need to push this manually.

The CISA Deadline: Apache ActiveMQ

Separate from Patch Tuesday, CISA issued a binding directive with an April 30, 2026 deadline for Federal agencies to patch Apache ActiveMQ CVE-2026-34197 (CVSS 8.8 RCE). This is not a Microsoft vulnerability but coincides with Patch Tuesday timing and affects many enterprises that run ActiveMQ as a message broker.

If your infrastructure includes Apache ActiveMQ — common in Java enterprise stacks, event-driven architectures, and legacy middleware — check your version against the CVE threshold and patch before April 30. The CISA deadline applies to Federal agencies but is a reliable signal that this vulnerability is being actively exploited against a broad target set.

Developer and DevOps Action List

Immediate (today):

• Apply April 2026 cumulative update to all internet-facing Windows servers
• Patch domain controllers first — CVE-2026-33827 domain controller compromise = full network compromise
• Push Microsoft Edge update to enterprise endpoints

Within 48 hours:

• Patch Hyper-V hosts — guest escape vulnerabilities
• Patch SharePoint Server if internet-exposed
• Patch Windows DNS servers

Before April 30:

• Audit Apache ActiveMQ deployments, patch for CVE-2026-34197
• Verify Azure IaaS Windows VMs have received cumulative update (check Azure Update Manager)

Cloud-hosted (no action needed):

• Azure PaaS services (App Service, Azure SQL, etc.) — Microsoft patches automatically
• Microsoft 365 / SharePoint Online — patched on Microsoft's side

The 164 CVE Count in Context

164 CVEs in a single Patch Tuesday is unusually high. The 2026 average before April was 89 CVEs per month. The April release is nearly double the monthly average.

The elevated count reflects two trends converging: Microsoft's AI Copilot features have introduced new attack surface across every Office and Windows product, and the security research community has been running aggressive automated fuzzing against Windows components using AI-assisted tools. More CVEs found = more CVEs patched.

The high count does not mean every CVE is critical — 156 of the 164 are Important or Moderate, not Critical. But the 8 Critical and 1 actively exploited zero-day mean this Patch Tuesday cannot wait for monthly maintenance windows.

Key Takeaways

• 164 CVEs in April 2026 Patch Tuesday — largest release of 2026, 8 Critical, 1 actively exploited zero-day, 1 publicly disclosed before patch
• CVE-2026-33827 (CVSS 8.1) is the priority: unauthenticated Windows TCP/IP RCE — patch domain controllers and internet-facing servers immediately, do not wait for maintenance windows
• Hyper-V guest escape vulnerabilities: patch Hyper-V hosts within 48 hours — guest VM to host escape is a critical cloud infrastructure risk
• Apache ActiveMQ CVE-2026-34197: CISA deadline April 30 — audit and patch all ActiveMQ deployments before the deadline
• Azure PaaS customers: no action needed — Microsoft handles patches for managed services; Azure IaaS (Windows Server VMs) requires cumulative update application

For the Adobe Acrobat RCE patched earlier this week, read Adobe CVE-2026-34621: Acrobat RCE Actively Exploited — Patch Now. For the IRGC cyber threat landscape, read Will IRGC Ransomware Stop After Iran Nuclear Deal?. Check your email security with the Email Spoof Checker.