Microsoft fixes 167 security flaws in April, second biggest Patch Tuesday ever
With April’s Patch Tuesday hitting just yesterday, Microsoft released updates to address 167 security vulnerabilities. This is the second highest number of vulnerabilities ever patched on a Patch Tuesday (beat out in October 2025, when there were 10 more).
In addition to Windows and Office, Microsoft’s cloud services are affected. One Office vulnerability is already being exploited in the wild, while one exploit for a vulnerability in Defender was known in advance. Microsoft classifies eight of these vulnerabilities as critical. Almost all of the remaining ones are designated as high risk.
The next Patch Tuesday is scheduled for May 12th, 2026. Keep reading for more details on what was exactly patched this time around.
Office vulnerabilities
Microsoft has fixed 14 vulnerabilities in its Office family of products. These include 10 RCE (remote code execution) vulnerabilities, three of which are classified as critical: CVE-2026-33114 and CVE-2026-33115 in Word as well as CVE-2026-32190 in Office generally. Here, the preview pane is an attack vector—a user doesn’t even need to open an infected Office file for an attack to succeed.
The zero-day spoofing vulnerability CVE-2026-32201 in SharePoint Server 2016 and 2019, which Microsoft classifies as high risk, is already being exploited in the wild. According to Microsoft, attackers could view and manipulate information but can’t restrict access to the resource. No further details were provided on this.
Windows vulnerabilities
A large number of the vulnerabilities—131 to be exact—are spread across the various Windows versions (10, 11, Server) for which Microsoft still provides security updates.
Security vulnerabilities that are not under active attack but were known before the update are also considered zero-day vulnerabilities. This time around, that applies to the EoP (elevation of privilege) vulnerability CVE-2026-33825 in Defender. Its discoverer had reported it to Microsoft and, frustrated by what he considered an inadequate response, published a demo exploit on GitHub.
Critical Windows vulnerabilities
Among the numerous vulnerabilities in Windows that Microsoft is addressing this month, four RCE vulnerabilities are classified as critical. These include CVE-2026-33827 in the TCP/IP stack and CVE-2026-33824 in the Internet Key Exchange (IKE) service, two candidates for worm-exploitable vulnerabilities.
Also classified as critical is CVE-2026-32157 in the Remote Desktop Client. To exploit this, a user would need to be tricked into establishing a connection to an attacker’s RDP server. There’s also CVE-2026-33826 in Active Directory that requires a user login, and the attacker must be on the same local network segment.
The eighth and final vulnerability classified as critical is the DoS (Denial of Service) vulnerability CVE-2026-23666 in the .NET Framework. DoS vulnerabilities classified as critical are rather rare. In this case, an unauthenticated attacker could use the network to bring virtually any .NET-based application to a standstill.
By the way: If you’re using Windows 11 Home, you’re missing out on the many benefits of Windows 11 Pro. To learn more, see our comparison of Windows 11 Home and Pro. If you want to upgrade, snag it for cheap in the PCWorld Software Store: now just $59 instead of $99.
Edge updates
The latest security update to Edge 147.0.3912.60 is dated April 10th and based on 147.0.7727.56. It addresses 60 Chromium vulnerabilities, which aren’t included in the total number of vulnerabilities mentioned above.
The update also addresses Edge-specific vulnerability CVE-2026-33118 as well as the CVE-2026-33119 vulnerability in Edge for Android.
Tip: Whether you keep your browser up to date, you need proper antivirus protections if you want your PC to remain secure and private. Check out our picks for the best antivirus software for Windows as well as best VPN services to stay ahead of security problems.