wEh YBiig KBIKm

Microsoft Releases April 2026 Patch Tuesday Update: 168 Vulnerabilities Patched Including Active Zero-Day Exploit

Microsoft has addressed a critical security gap by releasing its April 2026 Patch Tuesday updates, covering 168 vulnerabilities across its product ecosystem. The release includes patches for one actively exploited zero-day vulnerability and numerous elevation of privilege flaws that pose immediate risks to enterprise environments.

System administrators and security teams are urged to prioritize deploying these updates immediately to protect their networks from active exploitation campaigns.

The SharePoint Server Zero-Day: CVE-2026-32201

The most pressing vulnerability in this month’s update is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server that is currently being exploited in the wild. Threat actors have already weaponized this zero-day, making it an active threat to organizations relying on SharePoint for collaboration and document management.

Given that SharePoint is fundamental to enterprise operations, this vulnerability represents a significant risk to business continuity. Security teams should treat patching this flaw as an immediate priority to prevent unauthorized network spoofing and data access.

Critical Elevation of Privilege and Disclosure Vulnerabilities

Beyond the zero-day threat, the Microsoft Security Response Center (MSRC) has highlighted several high-severity vulnerabilities requiring immediate remediation:

  • Azure Data Studio (CVE-2024-26203) — An elevation of privilege vulnerability (CVSS 7.3) that allows local attackers to bypass security controls and escalate permissions, potentially compromising system confidentiality and integrity.
  • Xbox Gaming Services (CVE-2024-28916) — An elevation of privilege flaw (CVSS 8.8) in Xbox Crypto Graphic Services that could grant attackers elevated system access rights.
  • .NET Framework (CVE-2024-29059) — An information disclosure vulnerability (CVSS 7.5) that could expose sensitive system data to unauthorized users.
  • Outlook for Android (CVE-2024-26204) — An information disclosure flaw affecting mobile email users, requiring urgent app updates across enterprise deployments.

Microsoft Edge Browser and Chromium Security Updates

The April patch cycle delivers extensive security improvements for the Chromium-based Microsoft Edge browser. Updates resolve a low-severity spoofing bug (CVE-2024-29057, CVSS 4.3) and multiple security feature bypasses (CVE-2024-26246, CVE-2024-26247).

Microsoft also integrated critical upstream Chromium patches addressing severe memory management issues, including:

  • Use-after-free vulnerabilities in WebCodecs (CVE-2024-2886), Dawn (CVE-2024-2885), Canvas (CVE-2024-2627), and ANGLE (CVE-2024-2883)
  • Type confusion in WebAssembly (CVE-2024-2887)
  • Out-of-bounds reading in Swiftshader (CVE-2024-2626)
  • iOS-specific implementation and interface bugs (CVE-2024-2628, CVE-2024-2629, CVE-2024-2630)

Linux and Open-Source Component Vulnerabilities

The update extends to Mariner and integrated open-source tools. Microsoft patched serious directory traversal (CVE-2024-27318) and out-of-bounds read (CVE-2024-27319) flaws in the ONNX package.

The company also resolved multiple Linux kernel vulnerabilities, including out-of-bounds memory access in LoongArch (CVE-2024-26588) and dangerous race conditions in TLS operations (CVE-2024-26583, CVE-2024-26585).

Recommended Mitigation Strategies

Security professionals recommend the following actions to maintain strong network defense:

  • Deploy the April 2026 security updates across all Microsoft servers immediately, prioritizing public-facing SharePoint environments.
  • Update Azure Data Studio and enforce the principle of least privilege for all local user accounts.
  • Ensure automated updates are active for Microsoft Edge and mobile applications like Outlook for Android.
  • Continuously monitor system logs for unusual privilege escalation attempts, spoofing behaviors, or unauthorized network access.
  • Conduct vulnerability assessments to identify systems still running unpatched versions of affected Microsoft products.

Complete CVE Reference Table

CVE Title / Description Type Severity Product / Component
CVE-2024-29059 .NET Framework Information Disclosure Vulnerability Information Disclosure Important .NET Framework
CVE-2024-29057 Microsoft Edge (Chromium-based) Spoofing Vulnerability Spoofing Low Microsoft Edge (Chromium-based)
CVE-2024-28916 Xbox Gaming Services Elevation of Privilege Vulnerability Elevation of Privilege Important XBox Crypto Graphic Services
CVE-2024-2887 Chromium: Type Confusion in WebAssembly Type Confusion Not stated Microsoft Edge (Chromium-based)
CVE-2024-2886 Chromium: Use after free in WebCodecs Use-After-Free Not stated Microsoft Edge (Chromium-based)
CVE-2024-2885 Chromium: Use after free in Dawn Use-After-Free Not stated Microsoft Edge (Chromium-based)
CVE-2024-28849 Proxy-Authorization header kept across hosts in follow-redirects Header Leakage Not stated Mariner
CVE-2024-2883 Chromium: Use after free in ANGLE Use-After-Free Not stated Microsoft Edge (Chromium-based)
CVE-2024-27319 ONNX out-of-bounds read due to off-by-one string copy Out-of-bounds Read Not stated Mariner
CVE-2024-27318 ONNX directory traversal via external_data path Directory Traversal Not stated Mariner
CVE-2024-27308 Mio’s tokens for named pipes may be delivered after deregistration Use-After-Free Not stated Mariner
CVE-2024-27289 pgx SQL Injection via Line Comment Creation SQL Injection Not stated Mariner
CVE-2024-26594 ksmbd: validate mech token in session setup Authentication Bypass Not stated Mariner
CVE-2024-26588 LoongArch: BPF — Prevent out-of-bounds memory access Out-of-bounds Memory Access Not stated Mariner
CVE-2024-26585 TLS: fix race between tx work scheduling and socket close Race Condition Not stated Mariner
CVE-2024-26583 TLS: fix race between async notify and socket close Race Condition Not stated Mariner
CVE-2024-26581 Netfilter: nft_set_rbtree — skip end interval element from gc Denial of Service Not stated Mariner
CVE-2024-26455 Fluent-bit 2.2.2 use-after-free vulnerability in custom_calyptia.c Use-After-Free Not stated Mariner
CVE-2024-2631 Chromium: Inappropriate implementation in iOS Implementation Flaw Not stated Microsoft Edge (Chromium-based)
CVE-2024-2630 Chromium: Inappropriate implementation in iOS Implementation Flaw Not stated Microsoft Edge (Chromium-based)
CVE-2024-2629 Chromium: Incorrect security UI in iOS UI Flaw Not stated Microsoft Edge (Chromium-based)
CVE-2024-2628 Chromium: Inappropriate implementation in Downloads Implementation Flaw Not stated Microsoft Edge (Chromium-based)
CVE-2024-2627 Chromium: Use after free in Canvas Use-After-Free Not stated Microsoft Edge (Chromium-based)
CVE-2024-2626 Chromium: Out of bounds read in Swiftshader Out-of-bounds Read Not stated Microsoft Edge (Chromium-based)
CVE-2024-2625 Chromium: Object lifecycle issue in V8 Memory Safety Not stated Microsoft Edge (Chromium-based)
CVE-2024-26247 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Security Feature Bypass Low Microsoft Edge (Chromium-based)
CVE-2024-26246 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Security Feature Bypass Low Microsoft Edge (Chromium-based)
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability Information Disclosure Important Outlook for Android
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability Elevation of Privilege Important Azure Data Studio

Verified CVSS Severity Scores

CVE Verified CVSS Score Verified Severity Affected Component
CVE-2024-29059 7.5 High .NET Framework Information Disclosure
CVE-2024-29057 4.3 Medium Edge Spoofing Vulnerability
CVE-2024-28916 8.8 High Xbox Gaming Services EoP
CVE-2024-26203 7.3 High Azure Data Studio EoP

Related Articles

Back to top button