Microsoft Releases April 2026 Patch Tuesday Update: 168 Vulnerabilities Patched Including Active Zero-Day Exploit
System administrators and security teams are urged to prioritize deploying these updates immediately to protect their networks from active exploitation campaigns.
The SharePoint Server Zero-Day: CVE-2026-32201
The most pressing vulnerability in this month’s update is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server that is currently being exploited in the wild. Threat actors have already weaponized this zero-day, making it an active threat to organizations relying on SharePoint for collaboration and document management.
Given that SharePoint is fundamental to enterprise operations, this vulnerability represents a significant risk to business continuity. Security teams should treat patching this flaw as an immediate priority to prevent unauthorized network spoofing and data access.
Critical Elevation of Privilege and Disclosure Vulnerabilities
Beyond the zero-day threat, the Microsoft Security Response Center (MSRC) has highlighted several high-severity vulnerabilities requiring immediate remediation:
- Azure Data Studio (CVE-2024-26203) — An elevation of privilege vulnerability (CVSS 7.3) that allows local attackers to bypass security controls and escalate permissions, potentially compromising system confidentiality and integrity.
- Xbox Gaming Services (CVE-2024-28916) — An elevation of privilege flaw (CVSS 8.8) in Xbox Crypto Graphic Services that could grant attackers elevated system access rights.
- .NET Framework (CVE-2024-29059) — An information disclosure vulnerability (CVSS 7.5) that could expose sensitive system data to unauthorized users.
- Outlook for Android (CVE-2024-26204) — An information disclosure flaw affecting mobile email users, requiring urgent app updates across enterprise deployments.
Microsoft Edge Browser and Chromium Security Updates
The April patch cycle delivers extensive security improvements for the Chromium-based Microsoft Edge browser. Updates resolve a low-severity spoofing bug (CVE-2024-29057, CVSS 4.3) and multiple security feature bypasses (CVE-2024-26246, CVE-2024-26247).
Microsoft also integrated critical upstream Chromium patches addressing severe memory management issues, including:
- Use-after-free vulnerabilities in WebCodecs (CVE-2024-2886), Dawn (CVE-2024-2885), Canvas (CVE-2024-2627), and ANGLE (CVE-2024-2883)
- Type confusion in WebAssembly (CVE-2024-2887)
- Out-of-bounds reading in Swiftshader (CVE-2024-2626)
- iOS-specific implementation and interface bugs (CVE-2024-2628, CVE-2024-2629, CVE-2024-2630)
Linux and Open-Source Component Vulnerabilities
The update extends to Mariner and integrated open-source tools. Microsoft patched serious directory traversal (CVE-2024-27318) and out-of-bounds read (CVE-2024-27319) flaws in the ONNX package.
The company also resolved multiple Linux kernel vulnerabilities, including out-of-bounds memory access in LoongArch (CVE-2024-26588) and dangerous race conditions in TLS operations (CVE-2024-26583, CVE-2024-26585).
Recommended Mitigation Strategies
Security professionals recommend the following actions to maintain strong network defense:
- Deploy the April 2026 security updates across all Microsoft servers immediately, prioritizing public-facing SharePoint environments.
- Update Azure Data Studio and enforce the principle of least privilege for all local user accounts.
- Ensure automated updates are active for Microsoft Edge and mobile applications like Outlook for Android.
- Continuously monitor system logs for unusual privilege escalation attempts, spoofing behaviors, or unauthorized network access.
- Conduct vulnerability assessments to identify systems still running unpatched versions of affected Microsoft products.
Complete CVE Reference Table
| CVE | Title / Description | Type | Severity | Product / Component |
|---|---|---|---|---|
| CVE-2024-29059 | .NET Framework Information Disclosure Vulnerability | Information Disclosure | Important | .NET Framework |
| CVE-2024-29057 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Spoofing | Low | Microsoft Edge (Chromium-based) |
| CVE-2024-28916 | Xbox Gaming Services Elevation of Privilege Vulnerability | Elevation of Privilege | Important | XBox Crypto Graphic Services |
| CVE-2024-2887 | Chromium: Type Confusion in WebAssembly | Type Confusion | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2886 | Chromium: Use after free in WebCodecs | Use-After-Free | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2885 | Chromium: Use after free in Dawn | Use-After-Free | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-28849 | Proxy-Authorization header kept across hosts in follow-redirects | Header Leakage | Not stated | Mariner |
| CVE-2024-2883 | Chromium: Use after free in ANGLE | Use-After-Free | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-27319 | ONNX out-of-bounds read due to off-by-one string copy | Out-of-bounds Read | Not stated | Mariner |
| CVE-2024-27318 | ONNX directory traversal via external_data path | Directory Traversal | Not stated | Mariner |
| CVE-2024-27308 | Mio’s tokens for named pipes may be delivered after deregistration | Use-After-Free | Not stated | Mariner |
| CVE-2024-27289 | pgx SQL Injection via Line Comment Creation | SQL Injection | Not stated | Mariner |
| CVE-2024-26594 | ksmbd: validate mech token in session setup | Authentication Bypass | Not stated | Mariner |
| CVE-2024-26588 | LoongArch: BPF — Prevent out-of-bounds memory access | Out-of-bounds Memory Access | Not stated | Mariner |
| CVE-2024-26585 | TLS: fix race between tx work scheduling and socket close | Race Condition | Not stated | Mariner |
| CVE-2024-26583 | TLS: fix race between async notify and socket close | Race Condition | Not stated | Mariner |
| CVE-2024-26581 | Netfilter: nft_set_rbtree — skip end interval element from gc | Denial of Service | Not stated | Mariner |
| CVE-2024-26455 | Fluent-bit 2.2.2 use-after-free vulnerability in custom_calyptia.c | Use-After-Free | Not stated | Mariner |
| CVE-2024-2631 | Chromium: Inappropriate implementation in iOS | Implementation Flaw | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2630 | Chromium: Inappropriate implementation in iOS | Implementation Flaw | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2629 | Chromium: Incorrect security UI in iOS | UI Flaw | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2628 | Chromium: Inappropriate implementation in Downloads | Implementation Flaw | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2627 | Chromium: Use after free in Canvas | Use-After-Free | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2626 | Chromium: Out of bounds read in Swiftshader | Out-of-bounds Read | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-2625 | Chromium: Object lifecycle issue in V8 | Memory Safety | Not stated | Microsoft Edge (Chromium-based) |
| CVE-2024-26247 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Security Feature Bypass | Low | Microsoft Edge (Chromium-based) |
| CVE-2024-26246 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Security Feature Bypass | Low | Microsoft Edge (Chromium-based) |
| CVE-2024-26204 | Outlook for Android Information Disclosure Vulnerability | Information Disclosure | Important | Outlook for Android |
| CVE-2024-26203 | Azure Data Studio Elevation of Privilege Vulnerability | Elevation of Privilege | Important | Azure Data Studio |
Verified CVSS Severity Scores
| CVE | Verified CVSS Score | Verified Severity | Affected Component |
|---|---|---|---|
| CVE-2024-29059 | 7.5 | High | .NET Framework Information Disclosure |
| CVE-2024-29057 | 4.3 | Medium | Edge Spoofing Vulnerability |
| CVE-2024-28916 | 8.8 | High | Xbox Gaming Services EoP |
| CVE-2024-26203 | 7.3 | High | Azure Data Studio EoP |