Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch Release
Summary
Hide ▲
Show ▼
Microsoft shipped April 2026 Patch Tuesday updates covering 165 CVEs, including an actively exploited zero-day and a publicly disclosed flaw, creating immediate remediation pressure across Windows and related products. The bundle matters because multiple patched bugs can enable remote code execution, elevation of privilege, or information disclosure. Microsoft also said 19 vulnerabilities are more likely to be exploited and need high-priority attention. The update spans SharePoint Server, Defender, Windows IKE, Word, and nearly 80 Edge/Chromium fixes.
Cases
Related Happenings
Microsoft security patch release for CVE-2026-45659
Security Patch Release
First: 26.05.2026 14:49
Last: 26.05.2026 14:49
Sources 1
About this happening:
Microsoft released **SharePoint** updates for **CVE-2026-45659**, a **remote code execution** flaw that could let an authenticated attacker run code over the network without eleva...
Microsoft security patch release for CVE-2026-45659
Security Patch ReleaseAbout this happening: Microsoft released **SharePoint** updates for **CVE-2026-45659**, a **remote code execution** flaw that could let an authenticated attacker run code over the network without eleva...
CERT-In issues rapid patching guidelines for internet-facing systems
Public Sector Action
First: 26.05.2026 12:13
Last: 26.05.2026 12:13
Sources 1
About this happening:
**CERT-In** issued **new guidelines** requiring organizations to patch **internet-exposed critical vulnerabilities** within **12 hours** where feasible, tightening defensive timel...
CERT-In issues rapid patching guidelines for internet-facing systems
Public Sector ActionAbout this happening: **CERT-In** issued **new guidelines** requiring organizations to patch **internet-exposed critical vulnerabilities** within **12 hours** where feasible, tightening defensive timel...
Drupal core security update for CVE-2026-9082
Security Patch Release
First: 22.05.2026 16:14
Last: 22.05.2026 16:14
Sources 1
About this happening:
**Drupal** released security updates for **CVE-2026-9082**, a highly critical SQL injection flaw affecting **PostgreSQL**-backed sites, and urged administrators to **upgrade immed...
Drupal core security update for CVE-2026-9082
Security Patch ReleaseAbout this happening: **Drupal** released security updates for **CVE-2026-9082**, a highly critical SQL injection flaw affecting **PostgreSQL**-backed sites, and urged administrators to **upgrade immed...
Microsoft security patch release for CVE-2026-41091 and CVE-2026-45498
Security Patch Release
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft rolled out security updates for Defender and related malware protection components to address two zero-days: CVE-2026-41091 and CVE-2026-45498. The fixes cover affected...
Microsoft security patch release for CVE-2026-41091 and CVE-2026-45498
Security Patch ReleaseAbout this happening: Microsoft rolled out security updates for Defender and related malware protection components to address two zero-days: CVE-2026-41091 and CVE-2026-45498. The fixes cover affected...
Latest development: 21.05.2026 12:52
Microsoft released patches for Microsoft Defender Antimalware Platform version 4.18.26040.7 to address CVE-2026-41091, a link-following privilege-escalation flaw that can let an authorized attacker elevate privileges locally to System, and CVE-2026-45498, a denial-of-service flaw. Microsoft said both vulnerabilities were publicly disclosed and exploited in the wild as zero-days. CISA added both flaws to its Known Exploited Vulnerabilities (KEV) list and urged federal agencies to patch them by June 3.
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Timeline
-
15.04.2026 00:22 1 articles · 1mo ago
Microsoft April 2026 Patch Tuesday release
Mitigation Patch UpdateMicrosoft's April 2026 Patch Tuesday delivered patches for 165 CVEs, including CVE-2026-32201, an actively exploited spoofing flaw in Microsoft SharePoint Server that can let attackers view and modify sensitive information, and CVE-2026-33825, a publicly disclosed Defender antimalware platform flaw with proof-of-concept code. The update also covered critical fixes for CVE-2026-33824 in Windows Internet Key Exchange (IKE) Service Extensions, CVE-2026-33827 in Windows secure tunneling and authentication components, and nearly 80 republished Microsoft Edge and Chromium patches.
Show sources
- Privilege Elevation Dominates Massive Microsoft Patch Update — www.darkreading.com — 15.04.2026 00:22
-
15.04.2026 00:22 2 articles · 1mo ago
Microsoft flags exploitation risk and hardening steps
Technical Analysis UpdateMicrosoft assessed 19 newly disclosed vulnerabilities as more likely to be exploited, and researchers warned that CVE-2026-33825 could be chained with other exploits to expand initial access and gain system-level control on vulnerable endpoints. Microsoft said Defender instances with automatic updates were already protected, while organizations that do not use IKE should block UDP ports 500 and 4500 and required IKE deployments should restrict inbound traffic to known peer addresses.
Show sources
- Privilege Elevation Dominates Massive Microsoft Patch Update — www.darkreading.com — 15.04.2026 00:22
- Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — thehackernews.com — 13.05.2026 16:46