NullSec.news// Cyber news for anyone
CVE-2026-32201CVE-2026-33825CVE-2026-33824CVE-2026-32190CVE-2026-33114CVE-2026-33115CVE-2026-33827CVE-2026-33826CVE-2026-7363CVE-2026-7361CVE-2026-7344CVE-2026-7343

April 2026 Patch Tuesday: Two Zero-Days, a CVSS 9.8 IKE Flaw, and 164 CVEs Demand Urgent Attention

Microsoft's April 2026 Patch Tuesday addresses 164 vulnerabilities - double March's count - including one actively exploited SharePoint zero-day, a disclosed Defender privilege escalation linked to the BlueHammer exploit, and a CVSS 9.8 unauthenticated RCE in the Windows IKE Extension. Browser updates from Google and Mozilla add another layer of urgency.

BYNULLSEC.NEWS DESK·2026-04-30T20:02Z·3 MIN READ·◉ BREAKING
April 2026 Patch Tuesday: Two Zero-Days, a CVSS 9.8 IKE Flaw, and 164 CVEs Demand Urgent Attention
// mode

Microsoft's April 2026 Patch Tuesday is one of the largest security releases in recent memory. The update addresses 164 CVEs - roughly double the volume of March 2026 - spanning Windows, Office, SharePoint, Active Directory, .NET, and more. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike Two zero-days, eight critical-severity flaws, and a dominant share of elevation-of-privilege bugs define a release that demands prompt triage across enterprise environments. Separately, Google and Mozilla shipped critical browser patches the same week.

The Zero-Days

CVE-2026-32201 - SharePoint Server Spoofing (CVSS 6.5, exploited in the wild). This improper input validation flaw allows unauthenticated remote attackers to view and modify sensitive information on SharePoint without user interaction. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike Although rated Important rather than Critical, active exploitation makes it a top patching priority for any organization running on-premises SharePoint.

CVE-2026-33825 - Microsoft Defender Elevation of Privilege (CVSS 7.8, publicly disclosed). A local attacker with low privileges can escalate to SYSTEM by exploiting an insufficient access control flaw in Microsoft Defender. Proof-of-concept code exists and Microsoft rates exploitation as "more likely." 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike CrowdStrike notes this is presumed to be the CVE for the BlueHammer exploit released on April 2, 2026, though no official confirmation has been issued. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike On most systems the fix installs automatically via Defender's update mechanism.

The Highest-Severity Critical: Windows IKE Extension (CVSS 9.8)

CVE-2026-33824 is a double-free vulnerability in the Windows Internet Key Exchange (IKE) Extension that allows unauthenticated remote code execution via specially crafted packets sent to systems running IKEv2. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike No user interaction is needed and attack complexity is low - a combination that makes this the most dangerous individual CVE in the release. Any Windows machine acting as a VPN endpoint, IPSec gateway, or domain controller with IKE enabled is exposed.

Other Critical Flaws Worth Tracking

Three Microsoft Office and Word RCE flaws (CVE-2026-32190, CVE-2026-33114, CVE-2026-33115) share a notable trait: all three can be triggered through the Outlook Preview Pane, meaning a user does not need to open the malicious file for code execution to occur. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike Organizations that have not disabled Preview Pane rendering of untrusted attachments should treat these as high priority.

The Windows TCP/IP RCE (CVE-2026-33827, CVSS 8.1) targets IPv6 nodes where IPSec is enabled but requires the attacker to win a race condition, raising the attack complexity. The Active Directory RCE (CVE-2026-33826, CVSS 8.0) is limited to authenticated attackers within the same AD domain - relevant for lateral movement scenarios.

Browser Updates: Chrome 147 and Firefox 150

In parallel, Google released Chrome 147 with fixes for 30 security issues, including four critical use-after-free flaws (CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, CVE-2026-7343) in Canvas, iOS, Accessibility, and Views components. 2Chrome 147, Firefox 150 Security Updates Rolling Out — SecurityWeek Mozilla shipped Firefox 150.0.1 addressing four vulnerabilities, including critical memory safety bugs (CVE-2026-7322, CVE-2026-7323, CVE-2026-7324) that Mozilla acknowledges could be exploited for arbitrary code execution. 2Chrome 147, Firefox 150 Security Updates Rolling Out — SecurityWeek

What to Prioritize

Elevation of privilege accounted for 93 of the 164 CVEs (57%), making it the dominant vulnerability class this month. 1April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike For triage purposes:

  • Patch immediately: CVE-2026-33824 (IKE, CVSS 9.8), CVE-2026-32201 (SharePoint, exploited), CVE-2026-33825 (Defender, PoC available).
  • Patch urgently: The three Office/Word Preview Pane RCEs, Remote Desktop Client RCE, and Active Directory RCE.
  • Update browsers: Chrome 147 and Firefox 150 across all managed endpoints.

The sheer volume - 164 Microsoft CVEs plus 34 browser fixes - makes this a cycle where automated patch management and risk-based prioritization are essential. Enterprises relying on manual workflows should focus first on the items with confirmed exploitation, public PoC code, or unauthenticated remote attack vectors.

Bild: Kelly Sikkema / Unsplash

Sources

  1. April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs — CrowdStrike
  2. Chrome 147, Firefox 150 Security Updates Rolling Out — SecurityWeek

Related dispatches

more from the desk
Cohere's Terrarium Sandbox Vulnerability: Root Code Execution and Container Escape via Prototype Traversal
Vulnerabilities·2026-04-27T07:03Z
Cohere's Terrarium Sandbox Vulnerability: Root Code Execution and Container Escape via Prototype Traversal
UK Government Makes It Official: NCSC Recommends Passkeys Over Passwords as Microsoft Begins Windows Rollout
Authentication·2026-04-27T07:01Z
UK Government Makes It Official: NCSC Recommends Passkeys Over Passwords as Microsoft Begins Windows Rollout
Protobuf.js Vulnerability Exposes JavaScript Environments to Remote Code Execution
Vulnerabilities·2026-04-20T18:49Z
Protobuf.js Vulnerability Exposes JavaScript Environments to Remote Code Execution
NullSec.news

// Cyber news for anyone

© 2026 Nukipa. NullSec.news is a Nukipa publication.2026-04-30T22:21Z

We use cookies to analyze and improve our website.