Microsoft Patches 167 Security Vulnerabilities in Massive Patch Tuesday Update

Microsoft Security Response Center has released one of its largest Patch Tuesday security updates to date, addressing 167 vulnerabilities across Windows, Office, Edge and multiple cloud services.

The April 2026 release represents the second-largest Patch Tuesday update in Microsoft’s history, surpassed only by October 2025. The update includes several critical remote code execution flaws, active zero-day vulnerabilities and security issues affecting enterprise infrastructure components.

Office and SharePoint Vulnerabilities Raise Immediate Concerns

Microsoft patched 14 vulnerabilities affecting its Office product family, including 10 remote code execution flaws. Three of the Office vulnerabilities are classified as critical severity issues.

Among the most serious are CVE-2026-33114 and CVE-2026-33115 affecting Microsoft Word, alongside CVE-2026-32190 impacting Office more broadly.

According to Microsoft, attackers could exploit some of these flaws through the preview pane alone, meaning users may not even need to fully open a malicious Office document for an attack to succeed.

Microsoft also confirmed active exploitation of CVE-2026-32201, a high-risk spoofing vulnerability affecting Microsoft SharePoint Server 2016 and 2019. The company stated that attackers could potentially view or manipulate information through the vulnerability.

Windows Receives More Than 130 Security Fixes

The majority of the patched vulnerabilities — 131 in total — affect supported versions of Windows 11, Windows 10 and Windows Server platforms.

Microsoft classified several Windows vulnerabilities as critical, including multiple remote code execution flaws tied to networking components.

Among the most concerning are CVE-2026-33827 in the TCP/IP stack and CVE-2026-33824 affecting the Internet Key Exchange service. Security researchers consider both potential candidates for wormable attacks capable of spreading automatically across vulnerable systems.

Another critical issue, CVE-2026-32157, impacts the Remote Desktop Client and could allow attacks if users connect to malicious RDP servers.

Zero-Day Exploit Published Before Patch Release

Microsoft also addressed CVE-2026-33825, an elevation-of-privilege vulnerability affecting Microsoft Defender.

The flaw became particularly notable because its discoverer publicly released a demonstration exploit on GitHub after expressing frustration with Microsoft’s initial response process.

Although the vulnerability was not yet under active attack, publicly available exploit code significantly increased urgency surrounding the patch deployment.

Edge Browser and .NET Framework Also Updated

In addition to Windows and Office fixes, Microsoft released updates for Microsoft Edge version 147.0.3912.60.

The update patches 60 Chromium-related vulnerabilities alongside Edge-specific security flaws affecting both desktop and Android versions of the browser.

Microsoft also fixed CVE-2026-23666, a rare critical denial-of-service vulnerability within the .NET Framework. The flaw could allow unauthenticated attackers to disrupt .NET-based applications remotely across a network.

The next scheduled Patch Tuesday update is expected on May 12, 2026.