Today’s Patch Tuesday Alert addresses Microsoft’s April 2026 Security Updates. The FIRE team is actively working on coverage for these vulnerabilities and expect to ship that coverage as soon as it is completed.
In-the-Wild & Disclosed CVEs
Microsoft has reported this Microsoft SharePoint Server spoofing vulnerability as exploit detected, meaning that people should look to apply this patch as soon as possible. According to the advisory, improper input validation could lead to a spoofing attack performed over the network by an unauthorized user. Microsoft has reported this vulnerability as Exploitation Detected.
This appears to be the BlueHammer vulnerability impacting Windows Defender that has captured everyone’s attention for the past week. Fortra has written about this vulnerability in detail. Microsoft has reported this vulnerability as Exploitation More Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Windows Management Services | 1 | CVE-2026-20930 |
| Windows Secure Boot | 1 | CVE-2026-25250 |
| GitHub Copilot and Visual Studio Code | 1 | CVE-2026-23653 |
| Applocker Filter Driver (applockerfltr.sys) | 1 | CVE-2026-25184 |
| Microsoft Office SharePoint | 2 | CVE-2026-20945, CVE-2026-32201 |
| Windows Virtualization-Based Security (VBS) Enclave | 2 | CVE-2026-23670, CVE-2026-32220 |
| Microsoft Power Apps | 1 | CVE-2026-26149 |
| Windows Remote Desktop | 1 | CVE-2026-26151 |
| Windows Server Update Service | 3 | CVE-2026-26154, CVE-2026-26174, CVE-2026-32224 |
| Windows Local Security Authority Subsystem Service (LSASS) | 2 | CVE-2026-26155, CVE-2026-32071 |
| Windows Remote Desktop Licensing Service | 2 | CVE-2026-26160, CVE-2026-26159 |
| Windows Sensor Data Service | 1 | CVE-2026-26161 |
| Windows OLE | 1 | CVE-2026-26162 |
| Windows Shell | 6 | CVE-2026-26165, CVE-2026-26166, CVE-2026-27918, CVE-2026-32202, CVE-2026-32151, CVE-2026-32225 |
| Windows Push Notifications | 5 | CVE-2026-26167, CVE-2026-32158, CVE-2026-32159, CVE-2026-32160, CVE-2026-26172 |
| Windows Boot Manager | 1 | CVE-2026-26175 |
| Windows Kernel | 7 | CVE-2026-26179, CVE-2026-26180, CVE-2026-32195, CVE-2026-32215, CVE-2026-32217, CVE-2026-32218, CVE-2026-26163 |
| Microsoft Brokering File System | 3 | CVE-2026-26181, CVE-2026-32219, CVE-2026-32091 |
| Windows RPC API | 1 | CVE-2026-26183 |
| Windows Hello | 2 | CVE-2026-27906, CVE-2026-27928 |
| Windows Storage Spaces Controller | 2 | CVE-2026-27907, CVE-2026-32076 |
| Windows TDI Translation Driver (tdx.sys) | 1 | CVE-2026-27908 |
| Windows Universal Plug and Play (UPnP) Device Host | 8 | CVE-2026-27915, CVE-2026-27919, CVE-2026-32075, CVE-2026-32156, CVE-2026-27916, CVE-2026-27920, CVE-2026-27925, CVE-2026-32077 |
| Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) | 1 | CVE-2026-27917 |
| Windows TCP/IP | 2 | CVE-2026-27921, CVE-2026-33827 |
| Desktop Window Manager | 5 | CVE-2026-27924, CVE-2026-32152, CVE-2026-32154, CVE-2026-27923, CVE-2026-32155 |
| Windows Cloud Files Mini Filter Driver | 1 | CVE-2026-27926 |
| Windows Projected File System | 5 | CVE-2026-27927, CVE-2026-26184, CVE-2026-32069, CVE-2026-32074, CVE-2026-32078 |
| Windows LUAFV | 1 | CVE-2026-27929 |
| Windows GDI | 2 | CVE-2026-27931, CVE-2026-27930 |
| Windows Ancillary Function Driver for WinSock | 8 | CVE-2026-32073, CVE-2026-26168, CVE-2026-26173, CVE-2026-26177, CVE-2026-26182, CVE-2026-27922, CVE-2026-33099, CVE-2026-33100 |
| Windows File Explorer | 3 | CVE-2026-32081, CVE-2026-32079, CVE-2026-32084 |
| Windows SSDP Service | 3 | CVE-2026-32082, CVE-2026-32083, CVE-2026-32068 |
| Windows Remote Procedure Call | 1 | CVE-2026-32085 |
| Function Discovery Service (fdwsd.dll) | 4 | CVE-2026-32087, CVE-2026-32093, CVE-2026-32086, CVE-2026-32150 |
| Windows Speech Brokered Api | 2 | CVE-2026-32089, CVE-2026-32090 |
| Remote Desktop Client | 1 | CVE-2026-32157 |
| Windows Boot Loader | 1 | CVE-2026-0390 |
| Windows User Interface Core | 4 | CVE-2026-32165, CVE-2026-27911, CVE-2026-32163, CVE-2026-32164 |
| SQL Server | 3 | CVE-2026-32167, CVE-2026-33120, CVE-2026-32176 |
| Azure Monitor Agent | 2 | CVE-2026-32168, CVE-2026-32192 |
| .NET | 2 | CVE-2026-32178, CVE-2026-26171 |
| Microsoft Windows | 1 | CVE-2026-32181 |
| Windows Snipping Tool | 2 | CVE-2026-32183, CVE-2026-33829 |
| Microsoft High Performance Compute Pack (HPC) | 1 | CVE-2026-32184 |
| Microsoft Office Excel | 5 | CVE-2026-32188, CVE-2026-32189, CVE-2026-32197, CVE-2026-32198, CVE-2026-32199 |
| Windows Redirected Drive Buffering | 1 | CVE-2026-32216 |
| Input-Output Memory Management Unit (IOMMU) | 1 | CVE-2023-20585 |
| Microsoft Graphics Component | 1 | CVE-2026-32221 |
| Windows Win32K - ICOMP | 1 | CVE-2026-32222 |
| Windows USB Print Driver | 1 | CVE-2026-32223 |
| .NET Framework | 2 | CVE-2026-32226, CVE-2026-23666 |
| Microsoft Office Word | 5 | CVE-2026-33095, CVE-2026-33822, CVE-2026-23657, CVE-2026-33114, CVE-2026-33115 |
| Windows HTTP.sys | 1 | CVE-2026-33096 |
| Windows Container Isolation FS Filter Driver | 1 | CVE-2026-33098 |
| .NET, .NET Framework, Visual Studio | 1 | CVE-2026-33116 |
| Microsoft Defender | 1 | CVE-2026-33825 |
| Windows Active Directory | 2 | CVE-2026-33826, CVE-2026-32072 |
| Universal Plug and Play (upnp.dll) | 2 | CVE-2026-32212, CVE-2026-32214 |
| GitHub Repo: Git for Windows | 1 | CVE-2026-32631 |
| Node.js | 1 | CVE-2026-21637 |
| Windows Recovery Environment Agent | 1 | CVE-2026-20928 |
| Windows COM | 2 | CVE-2026-20806, CVE-2026-32162 |
| Microsoft PowerShell | 2 | CVE-2026-26143, CVE-2026-26170 |
| Windows Cryptographic Services | 1 | CVE-2026-26152 |
| Windows Encrypting File System (EFS) | 1 | CVE-2026-26153 |
| Role: Windows Hyper-V | 2 | CVE-2026-26156, CVE-2026-32149 |
| Windows Kernel Memory | 1 | CVE-2026-26169 |
| Windows Client Side Caching driver (csc.sys) | 1 | CVE-2026-26176 |
| Windows Advanced Rasterization Platform | 1 | CVE-2026-26178 |
| Microsoft Windows Search Component | 1 | CVE-2026-27909 |
| Windows Installer | 1 | CVE-2026-27910 |
| Windows Kerberos | 1 | CVE-2026-27912 |
| Windows BitLocker | 1 | CVE-2026-27913 |
| Microsoft Management Console | 1 | CVE-2026-27914 |
| Windows Common Log File System Driver | 1 | CVE-2026-32070 |
| Windows WalletService | 1 | CVE-2026-32080 |
| Windows Biometric Service | 1 | CVE-2026-32088 |
| Microsoft Windows Speech | 1 | CVE-2026-32153 |
| Azure Logic Apps | 1 | CVE-2026-32171 |
| Microsoft Office | 1 | CVE-2026-32190 |
| Windows Admin Center | 1 | CVE-2026-32196 |
| Microsoft Office PowerPoint | 1 | CVE-2026-32200 |
| .NET and Visual Studio | 1 | CVE-2026-32203 |
| Windows Print Spooler Components | 1 | CVE-2026-33101 |
| Microsoft Dynamics 365 (on-premises) | 1 | CVE-2026-33103 |
| Windows Win32K - GRFX | 1 | CVE-2026-33104 |
| Windows IKE Extension | 1 | CVE-2026-33824 |
Other Information
At the time of publication, there were no new advisories included with the April Security Guidance.
Off
