2026-04-14 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities

Blog Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities By Nick Biasini Tuesday, April 14, 2026 16:27 Patch Tuesday Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as “critical.”

is a critical Denial of Service (DoS) vulnerability that affects the .NET framework. Successful exploitation could allow the attacker to deny service over the network. is a critical use after free vulnerability in the Remote Desktop Client that results in code execution. Attack requires an authorized user on the client to connect to a malicious server, which could result in code execution on the client. is a critical user after free vulnerability in Microsoft Office that can result in local code execution. Attacker is remote but attack is carried out locally. Code from the local machine needs to be executed to exploit the vulnerability. is a critical untrusted pointer deference vulnerability in Microsoft Office Word that could allow the attacker to execute code locally. Code from the local machine needs to be executed to exploit this vulnerability. is a critical use after free vulnerability in Microsoft Office word that can result in local code execution. Similar to and the attacker is remote, but code needs to be executed from the local machine to exploit the vulnerability. is a critical double free vulnerability in the Widows Internet Key Exchange (IKE) extension, allowing remote code execution. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially enable remote code execution. Additional mitigations can include blocking inbound traffic on UDP ports 500 and 4500 if IKE is not in use.

is a critical improper input validation in Windows Active Directory that can result in code execution over an adjacent network. Requires an authenticated attacker to send specially crafted RPC calls to an RPC host. Can result in remote code execution. Note that successful exploitation requires the attacker be in the same restricted Active Directory domain as the target system. is a critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. Successful exploitation requires the attacker to win a race condition along with additional actions prior to exploitation to prepare the target environment. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve remote code execution. is an important improper input validation vulnerability in Microsoft Office SharePoint that can allow an unauthorized user to perform spoofing. An attacker that successfully exploits this vulnerability could view some sensitive information and make changes to disclosed information. This vulnerability has already been detected as being exploited in the wild. The majority of the remaining vulnerabilities are labeled as important with a two moderate and one low vulnerability also being patched. Talos would like to highlight the several additional  important vulnerabilities that Microsoft has deemed as “more likely” to be exploited.

· CVE-2026-0390 - UEFI Secure Boot Security Feature Bypass Vulnerability · CVE-2026-26151 - Remote Desktop Spoofing Vulnerability · CVE-2026-26169 - Windows Kernel Memory Information Disclosure Vulnerability · CVE-2026-26173 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability · CVE-2026-26177 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability · CVE-2026-26182 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability · CVE-2026-27906 - Windows Hello Security Feature Bypass Vulnerability · CVE-2026-27908 - Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability · CVE-2026-27909 - Windows Search Service Elevation of Privilege Vulnerability · CVE-2026-27913 - Windows BitLocker Security Feature Bypass Vulnerability · CVE-2026-27914 - Microsoft Management Console Elevation of Privilege Vulnerability · CVE-2026-27921 - Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability · CVE-2026-27922 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability · CVE-2026-32070 - Windows Common Log File System Driver Elevation of Privilege Vulnerability · CVE-2026-32075 - Windows UPnP Device Host Elevation of Privilege Vulnerability · CVE-2026-32093 - Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability · CVE-2026-32152 - Desktop Window Manager Elevation of Privilege Vulnerability · CVE-2026-32154 - Desktop Window Manager Elevation of Privilege Vulnerability · CVE-2026-32155 - Desktop Window Manager Elevation of Privilege Vulnerability · CVE-2026-32162 - Windows COM Elevation of Privilege Vulnerability · CVE-2026-32202 - Windows Shell Spoofing Vulnerability · CVE-2026-32225 - Windows Shell Security Feature Bypass Vulnerability · CVE-2026-33825 - Microsoft Defender Elevation of Privilege Vulnerability A complete list of all other vulnerabilities Microsoft disclosed this month is available on its update page .

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org . The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:65902-1:65903, 1:66242-1:66251, 1:66259-1:66260, 1:66264-1:66267, 1:66275-1:66276 The following Snort 3 rules are also available: 1:301398, 1:301468-1:3101472, 1:301475, 1:301477-1:301478, 1:301480 Share this post