Microsoft Patch Tuesday for April 2026 – Snort Rule and Prominent Vulnerabilities

Microsoft Patch Tuesday for April 2026 – Snort Rule and Prominent Vulnerabilities

/in

Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities

Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as “critical.” 

CVE-2026-23666 is a critical Denial of Service (DoS) vulnerability that affects the .NET framework. Successful exploitation could allow the attacker to deny service over the network.

CVE-2026-32157 is a critical use after free vulnerability in the Remote Desktop Client that results in code execution. Attack requires an authorized user on the client to connect to a malicious server, which could result in code execution on the client. 

CVE-2026-32190 is a critical user after free vulnerability in Microsoft Office that can result in local code execution. Attacker is remote but attack is carried out locally.  Code from the local machine needs to be executed to exploit the vulnerability. 

CVE-2026-33114 is a critical untrusted pointer deference vulnerability in Microsoft Office Word that could allow the attacker to execute code locally. Code from the local machine needs to be executed to exploit this vulnerability.

CVE-2026-33115 is a critical use after free vulnerability in Microsoft Office word that can result in local code execution. Similar to CVE-2026-33114 and CVE-2026-32190 the attacker is remote, but code needs to be executed from the local machine to exploit the vulnerability.

CVE-2026-33824 is a critical double free vulnerability in the Widows Internet Key Exchange (IKE) extension, allowing remote code execution. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially enable remote code execution. Additional mitigations can include blocking inbound traffic on UDP ports 500 and 4500 if IKE is not in use.

CVE-2026-33826 is a critical improper input validation in Windows Active Directory that can result in code execution over an adjacent network. Requires an authenticated attacker to send specially crafted RPC calls to an RPC host. Can result in remote code execution. Note that successful exploitation requires the attacker be in the same restricted Active Directory domain as the target system.

CVE-2026-33827 is a critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. Successful exploitation requires the attacker to win a race condition along with additional actions prior to exploitation to prepare the target environment. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve remote code execution. 

CVE-2026-32201 is an important improper input validation vulnerability in Microsoft Office SharePoint that can allow an unauthorized user to perform spoofing. An attacker that successfully exploits this vulnerability could view some sensitive information and make changes to disclosed information. This vulnerability has already been detected as being exploited in the wild.

The majority of the remaining vulnerabilities are labeled as important with a two moderate and one low vulnerability also being patched.  Talos would like to highlight the several additional  important vulnerabilities that Microsoft has deemed as “more likely” to be exploited.

·      CVE-2026-0390 – UEFI Secure Boot Security Feature Bypass Vulnerability

·      CVE-2026-26151 – Remote Desktop Spoofing Vulnerability

·      CVE-2026-26169 – Windows Kernel Memory Information Disclosure Vulnerability

·      CVE-2026-26173 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

·      CVE-2026-26177 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

·      CVE-2026-26182 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

·      CVE-2026-27906 – Windows Hello Security Feature Bypass Vulnerability

·      CVE-2026-27908 – Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

·      CVE-2026-27909 – Windows Search Service Elevation of Privilege Vulnerability

·      CVE-2026-27913 – Windows BitLocker Security Feature Bypass Vulnerability

·      CVE-2026-27914 – Microsoft Management Console Elevation of Privilege Vulnerability

·      CVE-2026-27921 – Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

·      CVE-2026-27922 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

·      CVE-2026-32070 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

·      CVE-2026-32075 – Windows UPnP Device Host Elevation of Privilege Vulnerability

·      CVE-2026-32093 – Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

·      CVE-2026-32152 – Desktop Window Manager Elevation of Privilege Vulnerability

·      CVE-2026-32154 – Desktop Window Manager Elevation of Privilege Vulnerability

·      CVE-2026-32155 – Desktop Window Manager Elevation of Privilege Vulnerability

·      CVE-2026-32162 – Windows COM Elevation of Privilege Vulnerability

·      CVE-2026-32202 – Windows Shell Spoofing Vulnerability

·      CVE-2026-32225 – Windows Shell Security Feature Bypass Vulnerability

·      CVE-2026-33825 – Microsoft Defender Elevation of Privilege Vulnerability

A complete list of all other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:65902-1:65903, 1:66242-1:66251, 1:66259-1:66260, 1:66264-1:66267, 1:66275-1:66276 

The following Snort 3 rules are also available: 1:301398, 1:301468-1:3101472, 1:301475, 1:301477-1:301478, 1:301480

Cisco Talos Blog – ​Read More