April 2026 Patch Tuesday: 163 CVEs & SharePoint 0-day

Published April 16, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Microsoft’s April 2026 Patch Tuesday fixes 163 CVEs — 8 Critical, 154 Important — including actively exploited SharePoint zero-day CVE-2026-32201 and four Critical RCEs (TCP/IP, IKE, Active Directory, Defender EoP). CISA mandates federal patching by April 28, 2026.

Bottom Line: Patch CVE-2026-32201 this week and use the 163-CVE volume as the business case to automate patch validation.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algerian banks, ministries, and large enterprises run sizable SharePoint, Active Directory, and Windows Server estates; an actively exploited SharePoint zero-day is a live threat, not theoretical.

Infrastructure Ready?
Partial
▾

Patch infrastructure exists (WSUS, Intune, SCCM) at tier-1 Algerian organizations. SMEs and public-sector mid-tier agencies still rely on manual or semi-automated patching, which will miss CISA-aligned timelines.

Skills Available?
Partial
▾

Vulnerability management practitioners exist but are thinly spread; the scarce skill is automated patch validation that can clear 163 CVEs inside a two-week window without breaking production.

Action Timeline
Immediate
▾

CVE-2026-32201 must be patched now; the broader 163-CVE cycle needs to be absorbed within 30 days per CISA-aligned best practice.

Key Stakeholders
CISOs, IT ops, CERT-DZ, banking sector CIOs, ministries running SharePoint, security operations teams

Decision Type
Tactical
▾

A patch-cycle execution problem today, but a budget conversation about automation investment for next quarter.

Quick Take: For Algerian CISOs, the April 2026 cycle compresses into two decisions: patch SharePoint CVE-2026-32201 before April 28 using whatever emergency process you have, then use this cycle’s sheer volume as the business case for automating patch validation — 163 CVEs cannot be tested by hand and will not be the last cycle of this size.

The Second-Largest Patch Release Ever

On April 14, 2026, Microsoft released security updates fixing 163 CVEs across Windows, Office, SharePoint, Defender, Remote Desktop, and Azure components. Counts vary slightly across trackers — Tenable reports 163, BleepingComputer 167, Zero Day Initiative cites 169 including third-party fixes — but the scale is undisputed: this is the second-largest Patch Tuesday ever released, surpassed only by October 2025’s record 167-CVE drop.

Of the 163 Microsoft-issued CVEs:

8 rated Critical
154 rated Important
1 rated Moderate
2 zero-days, one actively exploited in the wild

Elevation of privilege dominated the vulnerability mix at 57.1%, followed by information disclosure (12.3%) and remote code execution (12.3%). The large EoP share is consistent with a threat landscape where initial access is often commoditized, and attackers’ value is concentrated in post-compromise privilege escalation.

The Actively Exploited Zero-Day: CVE-2026-32201

The vulnerability that demands the most urgent attention is CVE-2026-32201, a spoofing flaw in Microsoft SharePoint Server that is already being exploited in the wild.

CVSS: 6.5 (Medium)
Impact: Confidentiality and Integrity compromise (no Availability impact)
Attack vector: Network, unauthenticated
Affected products: SharePoint 2016, SharePoint 2019, SharePoint Server Subscription Edition

The CVSS score does not fully capture the operational risk. CISA has added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch agencies remediate by April 28, 2026. For enterprises running self-hosted SharePoint in regulated industries (finance, healthcare, government, defense), the KEV listing is a signal that the same timeline should apply internally — two weeks is a reasonable ceiling, not a floor.

The vulnerability’s origin remains murky. Microsoft reports it was internally discovered, but attribution of the in-the-wild exploitation has not been disclosed.

Other High-Priority Patches

After CVE-2026-32201, four additional vulnerabilities warrant top-of-queue attention:

1. CVE-2026-33827 — Windows TCP/IP RCE

CVSS 9.8. Remote code execution over the TCP/IP stack with no user interaction required. Affects multiple Windows versions. For any system exposed to the internet or to untrusted network segments, this is an emergency patch. It is also one of those vulnerabilities that wormable exploit code will likely follow within days.

2. CVE-2026-33824 — Windows IKE Service Extensions RCE

CVSS 9.8, Critical. Exploitable by an unauthenticated attacker sending crafted packets to a target with IKEv2 enabled. Any VPN gateway, site-to-site tunnel, or Windows-based IPSec endpoint is in scope.

3. CVE-2026-33826 — Windows Active Directory RCE

CVSS 8.0, Critical, rated “Exploitation More Likely” by Microsoft. Domain controllers are high-value targets; a successful exploit here compromises the identity plane of the Windows environment.

4. CVE-2026-33825 — Microsoft Defender Zero-Day (EoP to SYSTEM)

Allows attackers already present on a host to escalate to SYSTEM via Defender itself. Microsoft ships the fix in Defender Antimalware Platform 4.18.26050.3011, distributed automatically. The priority is verifying the update has actually landed across your estate.

Enterprise Prioritization: A Three-Tier Approach

For IT and security teams sizing the April 2026 cycle, three tiers cover most estates:

Tier 1 — Emergency (within 72 hours)

CVE-2026-32201 (SharePoint, actively exploited)
CVE-2026-33827 (Windows TCP/IP, wormable potential)
CVE-2026-33824 (IKE Service, unauth RCE)
CVE-2026-33825 (Defender EoP, zero-day)

Tier 2 — High (within 14 days)

CVE-2026-33826 (Active Directory RCE)
The remaining four Critical-rated vulnerabilities
RDP-related fixes (relevant to any environment with exposed RDP)
Office document handling RCEs (phishing exposure)

Tier 3 — Standard cycle (within 30 days)

The ~149 Important-rated fixes, processed through normal change management
Non-critical EoP vulnerabilities on air-gapped or tightly-controlled systems

Operational Implications for Security Teams

Testing burden is real. 163 CVEs in a single cycle stresses patch-test lab capacity. Organizations without automated patch-validation pipelines will struggle to complete testing before the CISA deadline on the SharePoint zero-day.

SharePoint Server is increasingly a liability. Self-hosted SharePoint has been the source of multiple high-impact zero-days over the past two years. For organizations that have not yet migrated to SharePoint Online or replaced the service with modern alternatives, April 2026 is another signal that the total cost of ownership of on-prem SharePoint is climbing.

Automation pays back again. Enterprises running WSUS-only patching will miss the CISA deadline on several of the Tier 1 fixes. Intune, Azure Update Manager, or third-party platforms (Ivanti, Tanium, Automox, Action1) materially reduce time-to-patch on cycles of this size.

Vendor ecosystem was busy too. Adobe, Fortinet, and several other vendors shipped concurrent April 2026 updates. Teams should not treat Microsoft’s Patch Tuesday as the full scope of the April cycle — third-party software on the same Windows hosts frequently harbors equal or greater risk.

The Bigger Picture

Two observations from this cycle will matter beyond April:

Patch Tuesday volumes are trending up. 2024 averaged ~90 CVEs/month; 2025 averaged ~110; the first four months of 2026 are averaging 130+. Vulnerability discovery — accelerated by AI-assisted fuzzing and by models like Claude Mythos — is outpacing Microsoft’s ability to ship quiet months.
KEV-driven compliance is becoming the de facto standard. Even for non-federal organizations, alignment to CISA’s KEV timelines is increasingly a contractual expectation from insurers, auditors, and regulators. Vulnerability management programs structured around KEV deadlines are significantly less fragile than calendar-based approaches.

For CISOs, the takeaway from April 2026 is straightforward: the SharePoint zero-day is a fire; the volume of Critical RCEs is a warning; and the overall release size is a trend. Staff, tool, and process investments in vulnerability management should scale accordingly.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

Our Algerian organization does not run federal US infrastructure — why does the CISA KEV deadline matter to us?

The KEV catalog is the de facto global benchmark for vulnerability severity in 2026. Cyber insurance policies, vendor audits, and even local regulatory expectations increasingly reference KEV timelines. An organization that systematically misses KEV deadlines faces higher insurance premiums, failed audits, and regulatory scrutiny — regardless of jurisdiction.

What if we cannot migrate off self-hosted SharePoint this year?

Minimize internet exposure of the SharePoint service (VPN-only, restricted IP ranges, Web Application Firewall in front), enforce MFA on all SharePoint admin accounts, and automate patch application via Intune or Azure Update Manager rather than manual WSUS approvals. Plan the SharePoint Online migration for 2027 — the TCO picture keeps getting worse.

How do we prioritize if we only have bandwidth to patch 10 of the 163 CVEs this week?

The Tier 1 list: CVE-2026-32201 (SharePoint), CVE-2026-33827 (TCP/IP RCE, wormable risk), CVE-2026-33824 (IKE Service), CVE-2026-33825 (Defender EoP), and CVE-2026-33826 (Active Directory RCE). Those five plus the remaining three Critical CVEs and the two Office RCE fixes cover the real immediate risk surface.