Microsoft on Tuesday pushed out what security researchers are calling the second-largest monthly security update in the company’s history, patching 165 vulnerabilities, including two zero-days.
The sheer size of this month’s release raised eyebrows immediately. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted in a blog post that the release rivals the record set in October 2025.
Microsoft has offered no public explanation for the surge in volume, but Childs pointed to a growing trend: “Our incoming rate has essentially tripled, making triage a challenge, to say the least,” he wrote, attributing much of the increase to vulnerability reports generated with AI tools.
The zero-days you need to know about
The more urgent of the two zero-days is a SharePoint Server spoofing flaw, tracked as CVE-2026-32201, carrying a CVSS score of 6.5. Microsoft described the issue as improper input validation that lets an unauthenticated attacker perform spoofing over a network, potentially reading sensitive information and altering disclosed data.
The second zero-day, CVE-2026-33825, was present in Microsoft Defender and was publicly known before today’s patch. The privilege escalation bug can hand an attacker full SYSTEM-level access. Security researcher Jack Bicer of Action1 told TechRepublic that once this foothold is established, “it allows full control over endpoints, enabling data exfiltration, disabling security tools, and lateral movement across networks.”
Proof-of-concept exploit code for the flaw, nicknamed BlueHammer by the researcher who posted it to GitHub early this month, is already in the wild. Users can push the Defender fix manually via Windows Security → Virus & threat protection → Protection Updates → Check for updates.
Eight critical flaws, with remote code execution front and centre
Of the eight vulnerabilities Microsoft rated Critical this month, seven involve remote code execution, and one is a denial-of-service issue.
The standout is CVE-2026-33824, a flaw in the Windows Internet Key Exchange extension scoring a near-perfect 9.8 on the CVSS scale. An unauthenticated attacker can exploit it by sending crafted packets to any Windows machine running IKE version 2. For organisations that cannot patch immediately, Microsoft recommends blocking inbound traffic on UDP ports 500 and 4500.
Also flagged as critical: a race condition in Windows TCP/IP (CVE-2026-33827) that could allow remote code execution via specially crafted IPv6 packets against machines with IPSec enabled, and a flaw in Windows Active Directory (CVE-2026-33826), though that one requires the attacker to already be inside the same restricted Active Directory domain as the target.
Microsoft Office users face multiple remote code execution bugs in Word and Excel, some of which can be triggered simply by previewing a malicious document in the preview pane. Security teams should treat Office patching as a high priority, particularly for users who regularly open email attachments.
Other improvements in KB5083769
Beyond security, the update bundles a handful of quality-of-life improvements for Windows 11:
- Narrator can now describe images on all Windows 11 PCs, accessible via keyboard shortcut.
- Smart App Control can be toggled on or off without reinstalling Windows.
- File Explorer gains Voice Typing support for renaming files.
- Remote Desktop now surfaces all requested connection settings before connecting when opening an .rdp file, along with a one-time security warning, a direct response to phishing attacks that abuse RDP files.
- Reset this PC has had a bug fixed that could cause device resets to fail after March’s hotpatch update.
- Display support now extends to refresh rates above 1,000Hz.
For Windows 11 users on versions 25H2 and 24H2, the update lands as KB5083769, bringing devices to build 26200.8246 or 26100.8246, respectively. It downloads automatically through Windows Update.
Also read: Microsoft’s April security update lands as researchers warn that the EngageLab Android SDK vulnerability could expose millions of Android users to malware delivery.
