Microsoft April 2026 Patch Tuesday: the CVE count is the wrong unit
Roughly 160+ CVEs landed in April. About six of them change what an IT team does this week.
The April 2026 Patch Tuesday landed at roughly 160 CVEs. Tenable counts 163 Microsoft CVEs and notes that its number omits two non-Microsoft CVEs bundled into the same release. Other trackers count differently. The exact number is less useful than the breakdown: eight Critical, two zero-days (one exploited in the wild, one publicly disclosed), and a long tail of Important and Moderate fixes spread across Windows, Office, SQL Server, Edge, Azure, and several components most teams never open a ticket for.
For most IT teams, the volume is not the question. The question is which fixes change the plan for this week, and which ones flow through the cumulative without further attention.
There are about six.
The six that change the plan
CVE-2026-32201, SharePoint Server. Exploited in the wild, added to CISA KEV on April 14 with a federal action deadline of April 28. If on-premises SharePoint is in your environment and reachable from the internet, this is the highest-priority item on the list. SharePoint advisories have repeatedly turned into mass-exploitation events within two weeks of disclosure, and an active exploit is already in circulation. Treat it as its own incident, not a queue line item.
CVE-2026-33825, Microsoft Defender. Publicly disclosed, with proof-of-concept code available. Disclosure with a patch typically narrows the window for opportunistic abuse to days. Validate compensating controls if patching has to wait, then patch in the next normal window.
CVE-2026-33824, Windows IKE Service Extensions. Unauthenticated remote code execution, CVSS 9.8. Network-reachable with no authentication. The exposure surface is narrow because IPsec/IKE has to be enabled and reachable, but where it applies (VPN concentrators, site-to-site tunnels, certain edge Windows hosts), the impact is severe. Confirm exposure rather than assume it.
CVE-2026-33827, Windows TCP/IP. Unauthenticated RCE, CVSS 8.1, with significant constraints. CrowdStrike’s analysis describes an exploitation path that requires a specially crafted IPv6 packet to a node where IPsec is enabled, plus high attack complexity and preparatory conditions. The blast radius is broader than IKE but narrower than the headline implies. Confirm where IPv6 is in play, where IPsec is enabled, and whether those hosts are reachable from less-trusted network zones.
Any Critical RCE on a service the team actually runs. Exchange on-premises, SQL Server with a public listener, RDP gateway, print services on a domain controller. Microsoft’s advisory lists these in a vacuum. Inventory determines which ones are real for a given environment, and that filtering is the team’s job.
Any patch where timing collides with a real operational constraint. A Critical fix on a system the team cannot take down without coordinating with finance close, a customer release, or a regulated change window is a different decision than a Critical on a back-office host. The CVE list does not see the calendar. The team does.
That is the planning surface. Roughly 157 of the remaining items install with the cumulative update, the host reboots in the normal window, and the work is done.
What the CVE list will not answer
After the technical shortlist, the rest of the triage is a business-impact conversation:
- Does the affected service exist in our environment, and is it internet-facing?
- Is it tied to a process where downtime has a measurable cost (revenue, regulatory, customer trust)?
- Can the patch land in the normal maintenance window, or are we asking the business to absorb disruption because the exposure justifies it?
- If we defer, what compensating controls reduce the risk in the meantime, and who owns confirming they are in place?
CVSS does not answer these. CISA KEV does not answer these. The advisory describes the bug; the team describes what is at stake. That is the part of the prioritization that no external feed will do, and it is where most of the actual decisions get made.
A decision table
A useful at-a-glance model for the queue:
| Signal | Action |
|---|---|
| Exploited in the wild or KEV-listed | Accelerate. Patch this week. |
| Publicly disclosed or PoC available | Accelerate, or validate compensating controls and patch in the next window. |
| Critical unauthenticated network RCE | Prioritize based on exposure. Narrow surface can wait one window; broad surface cannot. |
| Critical on a product not in our inventory | Ignore for planning. Confirm inventory if uncertain. |
| Local EoP or kernel info disclosure | Patch in the normal cycle. Do not open a separate workstream. |
| Office, Edge, or M365 Apps fix | Trust the update channels, if they are healthy. |
The last row is the one most often gotten wrong, which is why the next section addresses it directly.
What does not need a separate triage
The long tail of Important-rated bugs in April includes local elevation-of-privilege fixes, kernel info disclosures, and Office parsing bugs. These matter; kernel EoPs are how lateral movement chains complete. They do not change what the team does this week. They change what gets installed when the team patches, which is going to happen anyway because the cumulative carries the high-priority fixes from the shortlist.
The trap is treating the EoP list as a separate workstream. It is not. If patching is happening, all of it is patching. If patching is not happening, individual EoP triage does not save anyone.
The same logic applies to Edge and M365 Apps fixes, with one important condition: it only holds in environments where the update channels are healthy. If Edge and Office are flowing on managed devices and check-in rates are normal, these fixes do not become triage work. If the environment includes frozen VDI gold images, deferred update channels, disconnected servers, or devices that have not checked in for two weeks, they do. The CVE is the same. The workflow depends on whether the management plane is actually working.
A working read of the advisory
A practical sequence for reading any Patch Tuesday advisory:
- Exploited in the wild. Tier one. Patch this week.
- Publicly disclosed. Tier one. Same window.
- Critical, unauthenticated, network vector. Tier one if it maps to an exposed system, tier two if it does not.
- Critical RCE on a service in our inventory. Tier two. Goes in the next window.
Everything else: tier three. Install with the cumulative, reboot on schedule, log the deployment, close the ticket.
Why the headline number is the wrong unit
Patch Tuesday volume is rising because Microsoft is shipping more product surface, not because the threat picture doubled overnight. February was around 80 CVEs. April is over 160. The absolute number, on its own, says nothing about whether a given month is heavy or light for a specific environment. The two metrics that change the week are the count of actively-exploited items and the count of network-reachable Critical RCEs that map to real inventory.
A 160-CVE month with one exploited zero-day and zero unauthenticated network RCEs is a quiet month. A 50-CVE month with three actively-exploited bugs in edge devices is a fire drill. The headline number does not predict either case.
What to actually do this week
For a Windows estate, the week looks like this: treat SharePoint as its own incident if it is on-premises and exposed, validate Defender, plan IKE and TCP/IP for the next maintenance window, and let everything else flow through the cumulative on the normal schedule.
That is six decisions, not 163. The triage is supposed to be short. The advisory is long because Microsoft writes the advisory.
PatchDay Alert covers this gap. Each edition tells the reader what is exploited, what is disclosed, what is exposed in real environments, and what actually changes the patching plan for the week. Not a copy of the advisory, and not a panic headline.
Sources
- April 2026 Patch Tuesday: Updates and Analysis (CrowdStrike)
- Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities (The Hacker News)
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (April 14, 2026)
- Warning: Microsoft Patch Tuesday April 2026 patches 163 vulnerabilities (CCB Belgium)
- Microsoft's April 2026 Patch Tuesday Addresses 163 CVEs (Tenable)
- CVE-2026-32201 Detail (NVD)
- BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained (Picus Security)
- CVE-2026-33824: Remote Code Execution in Windows IKEv2 (Zero Day Initiative)
- CVE-2026-33827 Detail (NVD)
Share
Related field notes
-
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive — but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.