Microsoft April 2026 Patch Tuesday: 147 CVEs, 3 Zero-Days Fixed
Microsoft's April Patch Tuesday addressed 147 vulnerabilities across Windows, Office, Azure, and Exchange Server. Three zero-days were patched — all confirmed exploited in the wild. Prioritize these patches this week.
April Patch Tuesday Overview
Microsoft released its April 2026 Patch Tuesday security updates on April 14, 2026, addressing a total of 147 Common Vulnerabilities and Exposures (CVEs) across its product portfolio. This is one of the largest monthly patch releases in recent history. Of the 147 CVEs, 23 are rated Critical, 118 are rated Important, and 6 are rated Moderate. Three vulnerabilities are confirmed zero-days — meaning they were being actively exploited before Microsoft released the fix.
Zero-Day #1: CVE-2026-2891 — Windows CLFS Elevation of Privilege
The most urgently exploited zero-day this month is CVE-2026-2891, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. This vulnerability allows a locally authenticated attacker to elevate their privileges to SYSTEM level, giving them complete control over the affected machine. Multiple ransomware groups — including a successor to the LockBit operation — are actively using this vulnerability as part of their post-exploitation toolkit. Once attackers gain initial access through phishing or another vector, they use this flaw to escalate privileges before deploying ransomware. This affects all supported versions of Windows 10, Windows 11, and Windows Server.
Zero-Day #2: CVE-2026-2944 — Microsoft Office Remote Code Execution
CVE-2026-2944 is a critical remote code execution vulnerability in Microsoft Office that can be triggered when a user opens a specially crafted Office document. The vulnerability exists in the way Office processes certain embedded objects and does not require macros to be enabled. Attackers are distributing malicious Word and Excel documents via phishing emails. Simply opening the document is sufficient to trigger code execution with the privileges of the logged-in user. This affects Microsoft Office 2019, Office 2021, and Microsoft 365 Apps for Enterprise. Microsoft has released patches and also published a workaround involving Protected View settings.
Zero-Day #3: CVE-2026-3012 — Windows DNS Server Spoofing
CVE-2026-3012 is a DNS spoofing vulnerability in Windows DNS Server that allows an unauthenticated attacker on the same network to intercept and manipulate DNS responses. This can be used to redirect users to malicious websites, intercept credentials, or perform man-in-the-middle attacks. While this requires network adjacency (the attacker must be on the same network segment), it is particularly dangerous in environments with guest Wi-Fi networks or where contractors have network access. This affects Windows Server 2019 and 2022 running the DNS Server role.
Other Notable Patches This Month
Beyond the three zero-days, several other patches deserve priority attention. Exchange Server received fixes for two Critical remote code execution vulnerabilities that could allow unauthenticated attackers to execute code on the mail server. Azure Active Directory Connect received a patch for a privilege escalation flaw. Windows Hyper-V received fixes for two guest-to-host escape vulnerabilities. Microsoft also patched 14 vulnerabilities in the Windows TCP/IP stack, several of which are rated Critical.
Deployment Recommendations
For organizations using Windows Update or Microsoft Update, these patches will be delivered automatically if automatic updates are enabled. For organizations managing updates via WSUS, SCCM, or Intune, deploy the April updates to all endpoints within 72 hours, prioritizing internet-facing systems and servers. Test in a staging environment first if your organization requires it, but do not let testing delays push deployment beyond one week. For Exchange Server, apply the April Cumulative Update and follow Microsoft's documented update procedures.
- Deploy April Patch Tuesday updates to all Windows systems within 72 hours
- Prioritize CVE-2026-2891 (CLFS elevation of privilege) — actively used by ransomware groups
- CVE-2026-2944 affects all Office versions including Microsoft 365 — patch or apply workaround immediately
- Exchange Server administrators should apply the Cumulative Update before end of week
- Enable Windows Update on all endpoints if not already managed via WSUS or Intune
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.