Threat intelligence
Microsoft Security Bulletin Coverage for April 2026
Overview
Microsoft’s April 2026 Patch Tuesday has 163 vulnerabilities, of which 94 are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2026 and has produced coverage for 14 of the reported vulnerabilities.
Vulnerabilities with Detections
CVE | CVE Title | Signature |
| CVE-2026-26169 | Windows Kernel Memory Information Disclosure Vulnerability | ASPY 7204 Exploit-exe exe.MP_509 |
| CVE-2026-27908 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | ASPY 7205 Exploit-exe exe.MP_510 |
| CVE-2026-27909 | Windows Search Service Elevation of Privilege Vulnerability | ASPY 7206 Exploit-exe exe.MP_511 |
| CVE-2026-27914 | Microsoft Management Console Elevation of Privilege Vulnerability | ASPY 7207 Exploit-exe exe.MP_512 |
| CVE-2026-27921 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | ASPY 7208 Exploit-exe exe.MP_513 |
| CVE-2026-32070 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | ASPY 7209 Exploit-exe exe.MP_514 |
| CVE-2026-32093 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | ASPY 7210 Exploit-exe exe.MP_515 |
| CVE-2026-32152 | Desktop Window Manager Elevation of Privilege Vulnerability | ASPY 678 Exploit-exe exe.MP_508 |
| CVE-2026-32154 | Desktop Window Manager Elevation of Privilege Vulnerability | ASPY 7211 Exploit-exe exe.MP_516 |
| CVE-2026-32162 | Windows COM Elevation of Privilege Vulnerability | ASPY 677 Exploit-exe exe.MP_507 |
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | IPS 4617 Microsoft SharePoint Server Spoofing (CVE-2026-32201) |
| CVE-2026-32202 | Windows Shell Spoofing Vulnerability | ASPY 676 Exploit-exe exe.MP_506 |
| CVE-2026-32225 | Windows Shell Security Feature Bypass Vulnerability | ASPY 675 Exploit-exe exe.MP_505 |
| CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability | ASPY 674 Exploit-exe exe.MP_504 |
Release Breakdown
The vulnerabilities can be classified into the following categories:
For April there are 8 critical and 154 important vulnerabilities.
Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.
Release Detailed Breakdown
Denial of Service Vulnerabilities
| CVE | CVE Title |
| CVE-2026-23666 | .NET Framework Denial of Service Vulnerability |
| CVE-2026-26171 | .NET Denial of Service Vulnerability |
| CVE-2026-32071 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| CVE-2026-32181 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability |
| CVE-2026-32203 | .NET and Visual Studio Denial of Service Vulnerability |
| CVE-2026-32226 | .NET Framework Denial of Service Vulnerability |
| CVE-2026-33096 | HTTP.sys Denial of Service Vulnerability |
| CVE-2026-33116 | .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability |
Elevation of Privilege Vulnerabilities
| CVE | CVE Title |
| CVE-2026-20930 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-25184 | Applocker Filter Driver (applockerfltr.sys) Elevation of Privilege Vulnerability |
| CVE-2026-26152 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability |
| CVE-2026-26153 | Windows Encrypted File System (EFS) Elevation of Privilege Vulnerability |
| CVE-2026-26159 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability |
| CVE-2026-26160 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability |
| CVE-2026-26161 | Windows Sensor Data Service Elevation of Privilege Vulnerability |
| CVE-2026-26162 | Windows OLE Elevation of Privilege Vulnerability |
| CVE-2026-26163 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-26165 | Windows Shell Elevation of Privilege Vulnerability |
| CVE-2026-26166 | Windows Shell Elevation of Privilege Vulnerability |
| CVE-2026-26167 | Windows Push Notifications Elevation of Privilege Vulnerability |
| CVE-2026-26168 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-26170 | PowerShell Elevation of Privilege Vulnerability |
| CVE-2026-26172 | Windows Push Notifications Elevation of Privilege Vulnerability |
| CVE-2026-26173 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-26174 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability |
| CVE-2026-26176 | Windows Client Side Caching driver (csc.sys) Elevation of Privilege Vulnerability |
| CVE-2026-26177 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-26178 | Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability |
| CVE-2026-26179 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-26180 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-26181 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2026-26182 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-26183 | Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability |
| CVE-2026-26184 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-27907 | Windows Storage Spaces Controller Elevation of Privilege Vulnerability |
| CVE-2026-27908 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability |
| CVE-2026-27909 | Windows Search Service Elevation of Privilege Vulnerability |
| CVE-2026-27910 | Windows Installer Elevation of Privilege Vulnerability |
| CVE-2026-27911 | Windows User Interface Core Elevation of Privilege Vulnerability |
| CVE-2026-27912 | Windows Kerberos Elevation of Privilege Vulnerability |
| CVE-2026-27914 | Microsoft Management Console Elevation of Privilege Vulnerability |
| CVE-2026-27915 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-27916 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-27917 | Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Elevation of Privilege Vulnerability |
| CVE-2026-27918 | Windows Shell Elevation of Privilege Vulnerability |
| CVE-2026-27919 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-27920 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-27921 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability |
| CVE-2026-27922 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-27923 | Desktop Window Manager Elevation of Privilege Vulnerability |
| CVE-2026-27924 | Desktop Window Manager Elevation of Privilege Vulnerability |
| CVE-2026-27926 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-27927 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-27929 | Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-32068 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2026-32069 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-32070 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2026-32073 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-32074 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-32075 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-32076 | Windows Storage Spaces Controller Elevation of Privilege Vulnerability |
| CVE-2026-32077 | Windows UPnP Device Host Elevation of Privilege Vulnerability |
| CVE-2026-32078 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-32080 | Windows WalletService Elevation of Privilege Vulnerability |
| CVE-2026-32082 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2026-32083 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2026-32086 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability |
| CVE-2026-32087 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability |
| CVE-2026-32089 | Windows Speech Brokered Api Elevation of Privilege Vulnerability |
| CVE-2026-32090 | Windows Speech Brokered Api Elevation of Privilege Vulnerability |
| CVE-2026-32091 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2026-32093 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability |
| CVE-2026-32150 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability |
| CVE-2026-32152 | Desktop Window Manager Elevation of Privilege Vulnerability |
| CVE-2026-32153 | Windows Speech Runtime Elevation of Privilege Vulnerability |
| CVE-2026-32154 | Desktop Window Manager Elevation of Privilege Vulnerability |
| CVE-2026-32155 | Desktop Window Manager Elevation of Privilege Vulnerability |
| CVE-2026-32158 | Windows Push Notifications Elevation of Privilege Vulnerability |
| CVE-2026-32159 | Windows Push Notifications Elevation of Privilege Vulnerability |
| CVE-2026-32160 | Windows Push Notifications Elevation of Privilege Vulnerability |
| CVE-2026-32162 | Windows COM Elevation of Privilege Vulnerability |
| CVE-2026-32163 | Windows User Interface Core Elevation of Privilege Vulnerability |
| CVE-2026-32164 | Windows User Interface Core Elevation of Privilege Vulnerability |
| CVE-2026-32165 | Windows User Interface Core Elevation of Privilege Vulnerability |
| CVE-2026-32167 | SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-32168 | Azure Monitor Agent Elevation of Privilege Vulnerability |
| CVE-2026-32171 | Azure Logic Apps Elevation of Privilege Vulnerability |
| CVE-2026-32176 | SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-32184 | Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability |
| CVE-2026-32192 | Azure Monitor Agent Elevation of Privilege Vulnerability |
| CVE-2026-32195 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-32216 | Windows Redirected Drive Buffering System Denial of Service Vulnerability |
| CVE-2026-32219 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2026-32222 | Windows Win32k Elevation of Privilege Vulnerability |
| CVE-2026-32223 | Windows USB Printing Stack (usbprint.sys) Elevation of Privilege Vulnerability |
| CVE-2026-32224 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability |
| CVE-2026-33098 | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-33099 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-33100 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-33101 | Windows Print Spooler Elevation of Privilege Vulnerability |
| CVE-2026-33104 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability |
Information Disclosure Vulnerabilities
| CVE | CVE Title |
| CVE-2026-20806 | Windows COM Server Information Disclosure Vulnerability |
| CVE-2026-23653 | GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability |
| CVE-2026-26155 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability |
| CVE-2026-26169 | Windows Kernel Memory Information Disclosure Vulnerability |
| CVE-2026-27925 | Windows UPnP Device Host Information Disclosure Vulnerability |
| CVE-2026-27930 | Windows GDI Information Disclosure Vulnerability |
| CVE-2026-27931 | Windows GDI Information Disclosure Vulnerability |
| CVE-2026-32079 | Web Account Manager Information Disclosure Vulnerability |
| CVE-2026-32081 | Package Catalog Information Disclosure Vulnerability |
| CVE-2026-32084 | Windows Print Spooler Information Disclosure Vulnerability |
| CVE-2026-32085 | Remote Procedure Call Information Disclosure Vulnerability |
| CVE-2026-32151 | Windows Shell Information Disclosure Vulnerability |
| CVE-2026-32188 | Microsoft Excel Information Disclosure Vulnerability |
| CVE-2026-32212 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability |
| CVE-2026-32214 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability |
| CVE-2026-32215 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2026-32217 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2026-32218 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2026-33103 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| CVE-2026-33822 | Microsoft Word Information Disclosure Vulnerability |
Remote Code Execution Vulnerabilities
| CVE | CVE Title |
| CVE-2026-23657 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-26156 | Windows Hyper-V Remote Code Execution Vulnerability |
| CVE-2026-32149 | Windows Hyper-V Remote Code Execution Vulnerability |
| CVE-2026-32156 | Windows UPnP Device Host Remote Code Execution Vulnerability |
| CVE-2026-32157 | Remote Desktop Client Remote Code Execution Vulnerability |
| CVE-2026-32183 | Windows Snipping Tool Remote Code Execution Vulnerability |
| CVE-2026-32189 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-32190 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-32197 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-32198 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-32199 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-32200 | Microsoft PowerPoint Remote Code Execution Vulnerability |
| CVE-2026-32221 | Windows Graphics Component Remote Code Execution Vulnerability |
| CVE-2026-33095 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-33114 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-33115 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-33120 | Microsoft SQL Server Remote Code Execution Vulnerability |
| CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability |
| CVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability |
| CVE-2026-33827 | Windows TCP/IP Remote Code Execution Vulnerability |
Security Feature Bypass Vulnerabilities
| CVE | CVE Title |
| CVE-2026-0390 | UEFI Secure Boot Security Feature Bypass Vulnerability |
| CVE-2026-20928 | Windows Recovery Environment Security Feature Bypass Vulnerability |
| CVE-2026-23670 | Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability |
| CVE-2026-26143 | Microsoft PowerShell Security Feature Bypass Vulnerability |
| CVE-2026-26149 | Microsoft Power Apps Security Feature Bypass |
| CVE-2026-26175 | Windows Boot Manager Security Feature Bypass Vulnerability |
| CVE-2026-27906 | Windows Hello Security Feature Bypass Vulnerability |
| CVE-2026-27913 | Windows BitLocker Security Feature Bypass Vulnerability |
| CVE-2026-27928 | Windows Hello Security Feature Bypass Vulnerability |
| CVE-2026-32088 | Windows Biometric Service Security Feature Bypass Vulnerability |
| CVE-2026-32220 | UEFI Secure Boot Security Feature Bypass Vulnerability |
| CVE-2026-32225 | Windows Shell Security Feature Bypass Vulnerability |
Spoofing Vulnerabilities
| CVE | CVE Title |
| CVE-2026-20945 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2026-26151 | Remote Desktop Spoofing Vulnerability |
| CVE-2026-32072 | Active Directory Spoofing Vulnerability |
| CVE-2026-32178 | .NET Spoofing Vulnerability |
| CVE-2026-32196 | Windows Admin Center Spoofing Vulnerability |
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2026-32202 | Windows Shell Spoofing Vulnerability |
| CVE-2026-33829 | Windows Snipping Tool Spoofing Vulnerability |
Tampering Vulnerability
| CVE | CVE Title |
| CVE-2026-26154 | Windows Server Update Service (WSUS) Tampering Vulnerability |
Share This Article
An Article By
An Article By
Security News
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
