April 2026 delivered the second-largest Patch Tuesday in history — 163 CVEs, approaching the record set in October 2025. The release includes two zero-day vulnerabilities, one actively exploited, eight critical flaws, and a server update regression that caused domain controllers to enter restart loops. The combination of massive volume and operational disruption makes this one of the most demanding Patch Tuesday releases in recent years.
Actively Exploited Zero-Day: CVE-2026-33825
The headline vulnerability is CVE-2026-33825, an elevation of privilege flaw in Microsoft Defender itself. An insufficient access-control granularity flaw allows an authenticated attacker to elevate local privileges. CISA added it to the Known Exploited Vulnerabilities catalog with a remediation deadline of May 6, 2026.
What makes this particularly concerning is the exploit's association with the "Bluehammer" attack tooling. While the April patch addresses the initial Defender vulnerability, security researchers identified two additional exploits from the same attacker — dubbed "RedSun" and "UnDefend" — that remained unpatched as of the April release. Organizations should monitor for follow-up patches addressing these variants.
A second zero-day targets Microsoft Office SharePoint (CVE-2026-32201) with an improper input validation flaw enabling network spoofing. CISA set an April 28 remediation deadline.
Critical Vulnerabilities
Eight critical CVEs span multiple product areas. A Remote Desktop Client use-after-free vulnerability (CVE-2026-32157) enables code execution when an authorized user connects to a malicious server. A .NET framework denial of service flaw (CVE-2026-23666) can be exploited remotely. Office received another critical use-after-free (CVE-2026-32190) exploitable via malicious documents.
Elevation of privilege vulnerabilities dominated at 57% of the total — the highest percentage in 2026 so far.
The Domain Controller Restart Loop
Beyond the vulnerabilities themselves, the April security update (KB5082063) failed on Windows Server 2025 deployments and caused domain controllers across Server 2016, 2019, and 2022 to enter restart loops. Microsoft issued out-of-band patches on April 19 — five days after the initial release.
Two days later, a separate OOB update addressed CVE-2026-40372 (CVSS 9.1), a critical elevation of privilege vulnerability in ASP.NET Core data protection cryptographic APIs discovered in .NET 10.0.7. A user could gain SYSTEM privileges through the web framework's own cryptographic layer.
This is the second month in 2026 where Microsoft's Patch Tuesday updates themselves caused significant operational disruption requiring emergency fixes. The pattern reinforces that testing and staged deployment are not optional luxuries — they are operational necessities.
Deployment Recommendations
Test the April cumulative update on domain controllers in a lab environment before deploying to production. Apply the April 19 OOB fix alongside the original update. Prioritize the Defender zero-day and monitor for Bluehammer variant patches. The .NET OOB fix (CVE-2026-40372) should be included in the next Patch Tuesday rollup, but verify coverage.
163 CVEs in a single release means patch fatigue is a real risk. Automated prioritization based on exploit status, CVSS score, and product applicability filtering — not just "deploy everything" — is the only scalable approach at this volume.