The April 2026 Security Update Review
Strategic summary
The April 2026 Patch Tuesday brings a massive number of updates: Adobe fixes 61 vulnerabilities, including one actively exploited bug in Acrobat Reader. Microsoft releases 163 new CVEs, totaling 247, with an actively attacked SharePoint spoofing vulnerability. The high volume may be due to AI-generated bug reports. Organizations should urgently implement these critical patches, especially for internet-facing systems.
Key findings
- Two actively exploited vulnerabilities: CVE-2026-32201 in Microsoft SharePoint (spoofing) and an unnamed flaw in Adobe Acrobat Reader.
- Adobe addresses 61 CVEs across products like ColdFusion, FrameMaker, and Connect, with ColdFusion requiring deployment priority 1.
- Microsoft's April update includes 247 CVEs, the second-largest monthly release in the company's history.
- Eight Microsoft vulnerabilities are rated Critical, with the remainder Important or Moderate.
- The increase in reported vulnerabilities is partly attributed to the use of AI tools.
Relevance for you
The article is a monthly patch review covering multiple elevation-of-privilege vulnerabilities in Windows kernel modules and SQL Server; Adobe Reader is flagged as actively exploited, but without specific DACH relevance or geopolitical implications.
Mentioned CVEs
- CVE-2026-32201
- CVE-2026-33825
- CVE-2026-33827
- CVE-2026-33824
- CVE-2026-5281
- CVE-2026-23666
- CVE-2026-32190
- CVE-2026-33114
- CVE-2026-33115
- CVE-2026-32157
- CVE-2026-33826
- CVE-2026-26171
- CVE-2026-32226
- CVE-2026-32178
- CVE-2026-32203
- CVE-2026-33116
- CVE-2023-20585
- CVE-2026-32072
- CVE-2026-25184
- CVE-2026-32171
- CVE-2026-32168
- CVE-2026-32192
- CVE-2026-32181
- CVE-2026-27924
- CVE-2026-32152
- CVE-2026-32154
- CVE-2026-27923
- CVE-2026-32155
- CVE-2026-23653
- CVE-2026-32631
- CVE-2026-33096
- CVE-2026-25250
- CVE-2026-26181
- CVE-2026-32219
- CVE-2026-32091
- CVE-2026-26152
- CVE-2026-33103
- CVE-2026-32188
- CVE-2026-32189
- CVE-2026-32197
- CVE-2026-32198
- CVE-2026-32199
- CVE-2026-32184
- CVE-2026-26155
- CVE-2026-27914
- CVE-2026-26149
- CVE-2026-32200
- CVE-2026-26143
- CVE-2026-33120
- CVE-2026-20945
- CVE-2026-33822
- CVE-2026-33095
- CVE-2026-23657
- CVE-2026-32081
- CVE-2026-26170
- CVE-2026-26183
- CVE-2026-26160
- CVE-2026-26159
- CVE-2026-26151
- CVE-2026-32085
- CVE-2026-32167
- CVE-2026-32176
- CVE-2026-0390
- CVE-2026-32220
- CVE-2026-32212
- CVE-2026-32214
- CVE-2026-32079
- CVE-2026-33104
- CVE-2026-32196
- CVE-2026-26178
- CVE-2026-32073
- CVE-2026-26168
- CVE-2026-26173
- CVE-2026-26177
- CVE-2026-26182
- CVE-2026-27922
- CVE-2026-33099
- CVE-2026-33100
- CVE-2026-32088
- CVE-2026-27913
- CVE-2026-26175
- CVE-2026-32162
- CVE-2026-20806
- CVE-2026-26176
- CVE-2026-27926
- CVE-2026-32070
- CVE-2026-33098
- CVE-2026-26153
- CVE-2026-32087
- CVE-2026-32093
- CVE-2026-32086
- CVE-2026-32150
- CVE-2026-27931
- CVE-2026-27930
- CVE-2026-32221
- CVE-2026-27906
- CVE-2026-27928
- CVE-2026-26156
- CVE-2026-32149
- CVE-2026-27910
- CVE-2026-27912
- CVE-2026-26179
- CVE-2026-26180
- CVE-2026-32195
- CVE-2026-26163
- CVE-2026-32215
- CVE-2026-32217
- CVE-2026-32218
- CVE-2026-26169
- CVE-2026-27929
- CVE-2026-32071
- CVE-2026-20930
- CVE-2026-26162
- CVE-2026-33101
- CVE-2026-32084
- CVE-2026-27927
- CVE-2026-26184
- CVE-2026-32069
- CVE-2026-32074
- CVE-2026-32078
- CVE-2026-26167
- CVE-2026-32158
- CVE-2026-32159
- CVE-2026-32160
- CVE-2026-26172
- CVE-2026-20928
- CVE-2026-32216
- CVE-2026-27909
- CVE-2026-26161
- CVE-2026-26174
- CVE-2026-32224
- CVE-2026-26154
- CVE-2026-26165
- CVE-2026-26166
- CVE-2026-27918
- CVE-2026-32151
- CVE-2026-32225
- CVE-2026-32202
- CVE-2026-32082
- CVE-2026-32083
- CVE-2026-32068
- CVE-2026-32183
- CVE-2026-32089
- CVE-2026-32090
- CVE-2026-32153
- CVE-2026-27907
- CVE-2026-32076
- CVE-2026-27908
- CVE-2026-27921
- CVE-2026-27915
- CVE-2026-27919
- CVE-2026-32075
- CVE-2026-27916
- CVE-2026-27920
- CVE-2026-32077
- CVE-2026-27925
- CVE-2026-32156
- CVE-2026-32223
- CVE-2026-32165
- CVE-2026-27911
- CVE-2026-32163
- CVE-2026-32164
- CVE-2026-23670
- CVE-2026-27917
- CVE-2026-32080
- CVE-2026-32222
- CVE-2026-21637
- CVE-2026-33119
- CVE-2026-33829
- CVE-2026-5858
- CVE-2026-5859
- CVE-2026-5272
- CVE-2026-5273
- CVE-2026-5274
- CVE-2026-5275
- CVE-2026-5276
- CVE-2026-5277
- CVE-2026-5279
- CVE-2026-5280
- CVE-2026-5283
- CVE-2026-5284
- CVE-2026-5285
- CVE-2026-5286
- CVE-2026-5287
- CVE-2026-5289
- CVE-2026-5290
- CVE-2026-5860
- CVE-2026-5861
- CVE-2026-5862
- CVE-2026-5863
- CVE-2026-5864
- CVE-2026-5865
- CVE-2026-5866
- CVE-2026-5867
- CVE-2026-5868
- CVE-2026-5869
- CVE-2026-5870
- CVE-2026-5871
- CVE-2026-5872
- CVE-2026-5873
- CVE-2026-5291
- CVE-2026-5292
- CVE-2026-5874
- CVE-2026-5875
- CVE-2026-5876
- CVE-2026-5877
- CVE-2026-5878
- CVE-2026-5879
- CVE-2026-5880
- CVE-2026-5881
- CVE-2026-5882
- CVE-2026-5883
- CVE-2026-5884
- CVE-2026-5885
- CVE-2026-5886
- CVE-2026-5887
- CVE-2026-5888
- CVE-2026-5889
- CVE-2026-5890
- CVE-2026-5891
- CVE-2026-5892
- CVE-2026-5893
- CVE-2026-5894
- CVE-2026-5895
- CVE-2026-5896
- CVE-2026-5897
- CVE-2026-5898
- CVE-2026-5899
- CVE-2026-5900
- CVE-2026-5901
- CVE-2026-5902
- CVE-2026-5903
- CVE-2026-5904
- CVE-2026-5905
- CVE-2026-5906
- CVE-2026-5907
- CVE-2026-5908
- CVE-2026-5909
- CVE-2026-5910
- CVE-2026-5911
- CVE-2026-5912
- CVE-2026-5913
- CVE-2026-5914
- CVE-2026-5915
- CVE-2026-5918
- CVE-2026-5919
- CVE-2026-33118
Risk score
- cvss base
- 65.00
- kev bonus
- 20.00
- epss bonus
- 10.00
- poc bonus
- 15.00
- raw before weight
- 110.00
- industry weight
- 1.21
- freshness factor
- 0.50
- exploitability factor
- 1.00
- days old
- 85.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -5.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −5.0
- Total penalty:
- −5.0
MITRE ATT&CK mapping
5 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1068 Exploitation for Privilege Escalation | Privilege Escalation | Multiple CVEs in Windows components (including kernel, afd.sys, Desktop Windows Manager, SQL Server, UPnP) are exploited to elevate privileges to SYSTEM-level, administrative, or SQL sysadmin privileges on local systems | high | llm |
| T1203 Exploitation for Client Execution | Execution | CVE in Adobe Acrobat Reader is actively exploited in the wild against end-user systems, representing the highest-priority patch in the April 2026 release | high | llm |
| T1611 Escape to Host | Privilege Escalation | Several Windows sandbox escape vulnerabilities are addressed, including bugs in Windows Push Notifications (CVE-2026-26167), AFD for Winsock, Management Services, and User Interface Core, allowing attackers to break out of sandboxed environments | high | llm |
| T1499 Endpoint Denial of Service | Impact | A tampering vulnerability in WSUS allows attackers to send specially crafted packets to affect service availability and cause Denial of Service; additionally, bugs in afd.sys and Desktop Windows Manager are noted to crash affected systems | medium | llm |
| T1190 Exploit Public-Facing Application | Initial Access | Adobe ColdFusion receives a deployment priority 1 patch, indicating critical vulnerabilities in the publicly accessible web application platform that could be exploited by remote attackers | medium | llm |