Microsoft issued security updates yesterday during April's Patch Tuesday to resolve 167 flaws. This marks the second-largest batch of fixes in a single Patch Tuesday, surpassed only by the October 2025 release that covered 10 additional issues.
Beyond Windows and Office, impacts extend to Microsoft's cloud offerings. Attackers are actively exploiting one flaw in Office, and a proof-of-concept exploit existed beforehand for a Defender issue. Eight vulnerabilities earn a critical rating from Microsoft, with nearly all others rated as important.
The upcoming Patch Tuesday arrives on May 12, 2026. Further information on the specific fixes follows below.
Microsoft resolved 14 issues across its Office suite. Among them are 10 remote code execution flaws, including three critical ones: CVE-2026-33114 and CVE-2026-33115 affecting Word, plus CVE-2026-32190 impacting Office broadly. Attackers can leverage the preview feature as an entry point, allowing exploitation without users opening malicious files.
A zero-day spoofing flaw, CVE-2026-32201, affects SharePoint Server 2016 and 2019 and carries a high-severity label from Microsoft. It is currently under real-world exploitation. Microsoft notes that threat actors can access and alter data but lack the ability to limit resource permissions. Additional specifics remain undisclosed.
Precisely 131 vulnerabilities target multiple Windows editions, including versions 10, 11, and Server, all still receiving support from Microsoft.
Flaws disclosed prior to patching but not yet exploited qualify as zero-days. This month's example is the elevation-of-privilege issue CVE-2026-33825 in Defender. The researcher who found it notified Microsoft but, dissatisfied with the handling, shared a proof-of-concept on GitHub.
Microsoft tackled various Windows flaws this month, with four remote code execution vulnerabilities rated critical. These encompass CVE-2026-33827 in the TCP/IP protocol stack and CVE-2026-33824 in the Internet Key Exchange service, both potentially suitable for worm-like propagation.
Another critical entry is CVE-2026-32157 in the Remote Desktop Client, exploitable if a user connects to a malicious RDP server under deception. CVE-2026-33826 in Active Directory also qualifies as critical, necessitating user credentials and proximity to the attacker on the local network.
Rounding out the critical list is the eighth one, a denial-of-service flaw CVE-2026-23666 in the .NET Framework. Such DoS issues rarely receive critical status. Here, an unauthenticated adversary could remotely halt nearly any .NET application.
Note that Windows 11 Home users forgo several advantages available in Windows 11 Pro. For a detailed overview, consult our analysis of Windows 11 Home versus Pro editions. Upgrading is available at a discount through the PCWorld Software Store for $59, down from $99.
Edge's recent security patch, version 147.0.3912.60 from April 10, builds on Chromium base 147.0.7727.56 and fixes 60 Chromium-related issues, excluded from the earlier vulnerability count.
This Edge update also covers the browser-specific CVE-2026-33118 and the Android variant CVE-2026-33119.
Advice: Even with timely browser updates, robust antivirus is essential for PC security and privacy. Explore our recommendations for top Windows antivirus options and leading VPN providers to mitigate threats effectively.
This piece first appeared in our affiliated outlet PC-WELT, adapted and translated from its original German version.
Since 2005, Frank Ziemann has contributed freelance articles to PC-WELT, focusing on news and reviews. His expertise centers on IT security topics like malware, antivirus solutions, and vulnerabilities, alongside internet technologies.