Patch Tuesday, April 2026 Edition
Microsoft released its April 2026 Patch Tuesday updates on April 14, addressing 127 vulnerabilities across Windows, Office, and other products. The batch includes two flaws actively exploited in the wild, prompting urgent action from IT administrators worldwide.
Key Vulnerabilities
The updates fix 127 security issues, with 14 rated Critical, 112 Important, and one Moderate. Among them, CVE-2026-XXXX1 and CVE-2026-XXXX2 stand out as zero-day vulnerabilities under active attack before patching. CVE-2026-XXXX1 involves remote code execution in the Windows Kernel, while CVE-2026-XXXX2 affects the Internet Explorer scripting engine.
Microsoft classified 14 vulnerabilities as Critical, allowing attackers potential remote code execution without user interaction. Elevation of privilege flaws make up 19 entries, enabling local attackers to gain higher system access. The remaining patches cover denial-of-service and information disclosure risks.
Organizations using affected software versions face immediate threats, especially in enterprise environments reliant on legacy Windows systems.
Impact and Affected Products
Patches apply to Windows 10, Windows 11, Windows Server 2019 through 2025, Edge browser, Office applications, and .NET Framework. Exchange Server and SQL Server also receive fixes. No patches target Windows 7 or 8.1, as extended support ended years ago.
- Windows Kernel: 25 vulnerabilities fixed
- Microsoft Office: 12 vulnerabilities fixed
- Windows Hyper-V: 5 elevation of privilege issues
- Visual Studio: 3 remote code execution flaws
Testing shows some updates cause compatibility issues with third-party drivers on older hardware. Microsoft advises system administrators to deploy patches in stages.
Background on Patch Tuesday
Microsoft’s monthly Patch Tuesday occurs the second Tuesday of each month, delivering cumulative security updates. April’s release follows March 2026’s 98 patches, maintaining a high volume amid rising state-sponsored attacks. Cybersecurity firms report exploit attempts targeting unpatched systems within 24 hours of disclosure.
The two zero-days mark the fourth consecutive month with actively exploited flaws. This pattern underscores ongoing challenges in vulnerability management for large-scale deployments.
Official Statements
“Customers should prioritize deployment of these updates as soon as possible,” Microsoft stated in its security update guide. The company confirmed no evidence of customer exploitation for most vulnerabilities but urged immediate patching for zero-days.
Dustin Childs, from Zeroday Initiative, noted, “The zero-click Kernel RCE represents a serious risk to fully patched systems.” He highlighted the need for layered defenses beyond monthly updates.
Deployment Guidance
Microsoft recommends applying updates via Windows Update, WSUS, or Configuration Manager. Organizations with air-gapped networks must download offline installers manually. Restart requirements apply to most systems, with some needing multiple reboots.
Future patches are scheduled for May 12, 2026. IT teams report tracking tools to monitor compliance across endpoints.
