167 Patches, Two Zero-Days, and a 15-Year Clock Running Out: Your April 2026 Windows Security Guide
April 15, 2026 · Windows Security
April 2026 has delivered one of the largest Windows security updates ever. Microsoft’s April 2026 Patch Tuesday addresses 167 vulnerabilities — including an actively exploited zero-day in SharePoint Server. Alongside the patches, a 15-year-old security foundation is quietly running out of time: Secure Boot certificates issued in 2011 begin expiring in June 2026. Whether you’re on Windows 11 or still using Windows 10, here is exactly what you need to know and do.
For more on Microsoft’s recent AI and software developments, see our coverage of Microsoft Copilot’s emergency AI overhaul.
April 2026 Patch Tuesday
Windows Security Update — At a Glance
8
Critical severity flaws
2
Zero-day vulnerabilities
80
Chrome/Edge browser CVEs (separate)
9.8
Highest CVSS score (IKE Extension)
#2
2nd-largest Patch Tuesday ever
TWO ZERO-DAYS THIS MONTH
⚡ Actively Exploited
CVE-2026-32201 · CVSS 6.5
SharePoint Server Spoofing
Improper input validation lets an unauthenticated attacker spoof content over a network — enabling phishing, data manipulation, and social engineering inside trusted SharePoint environments. Exploitation confirmed in the wild before patch was available.
Priority: Update SharePoint immediately
⚠ Publicly Disclosed
CVE-2026-33825 · CVSS 7.8
“BlueHammer” — Windows Defender EoP
A privilege escalation flaw in Microsoft Defender’s anti-malware platform. A local attacker can escalate to SYSTEM-level privileges. A researcher published exploit code after growing frustrated with Microsoft’s response time. Patched in Defender platform v4.18.26050.3011.
Fixed: Defender auto-update applies the fix
Countdown to June 2026
Your Secure Boot Certificates Are Expiring — Here’s the Timeline
After 15 years, the Microsoft Secure Boot certificates originally issued in 2011 are hitting their end-of-life. These certificates sit deep in your PC’s firmware and verify that only trusted software runs at startup — before Windows even loads. Once expired, your PC can’t apply new boot-level security fixes.
2011
Original Secure Boot certificates issued
Microsoft introduced Secure Boot with Windows 8, issuing the KEK CA 2011, Windows Production PCA 2011, and UEFI CA 2011. These three certificates have underpinned boot security on over a billion PCs ever since.
2023
New 2023 replacement certificates created
Microsoft created a restructured certificate chain — KEK 2K CA 2023, Windows UEFI CA 2023, and Option ROM UEFI CA 2023 — separating responsibilities more securely. Many PCs manufactured since 2024 already ship with these installed.
April 2026 — Now
Windows Security app now shows certificate status
Starting this month, go to Windows Security → Device Security → Secure Boot to see a green, yellow, or red badge. Updated 2023 certificates are being delivered automatically via Windows Update. A green badge alone is not enough — look for the text: “Secure Boot is on and all required certificate updates have been applied.”
May 2026
Notifications roll out — no excuses
From May, Microsoft will push system alerts and in-app warnings if your certificates have not been updated. These will appear outside the Security app as well, making the deadline impossible to miss.
June 24, 2026 — Deadline #1
KEK CA 2011 & UEFI CA 2011 expire
Your PC will still boot and run. But it enters what
Microsoft describes as a “degraded security state” — no further updates to Windows Boot Manager, Secure Boot databases, or revocation lists can be installed.
October 2026 — Deadline #2
Windows Production PCA 2011 expires
The certificate that signs the Windows bootloader itself expires. Devices without the 2023 certificates are effectively frozen at whatever boot-level protections existed at this point.
If updated in time
Full protection continues normally
Devices that receive the 2023 certificates via Windows Update continue to receive all future Secure Boot protections, including mitigations against threats like the BlackLotus UEFI bootkit (CVE-2023-24932).
Interactive Guide
How to Check Your Certificate Status — Step by Step
Click each step to expand the details. Then use the badge guide below to read your result.
1
Open Windows Security
Press Start, search “Windows Security”, and open the app.
Start → Search “Windows Security” → Open
2
Go to Device Security
Inside the app, click “Device security” in the left menu.
Windows Security → Device security → Secure Boot
3
Check via Registry (IT Pros)
Run PowerShell as administrator and check the UEFICA2023Status key.
Get-ItemProperty “HKLM:\SYSTEM\…\SecureBoot” | Select UEFICA2023Status
4
Windows 10 / ESU Users
Windows 10 mainstream support ended Oct 14, 2025. Enrol in Extended Security Updates (ESU) to receive the new certificates.
Windows 10 ESU enrollment required to receive Secure Boot cert updates
Tap a badge colour to see what it means for your device:
Green — You’re covered, but verify the text too.
A green checkmark alone does not confirm your certificates are updated. According to
Microsoft’s official guidance, you must also see the text:
“Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.”
Yellow — Update is pending or in progress.
Your certificates are in the process of being updated, or your device needs a firmware update from your PC manufacturer (OEM) to proceed. Check with your OEM’s support page for a BIOS/UEFI firmware update. Don’t ignore this — the June deadline is real.
Red — Certificates have expired or update failed.
Your device has not received the new 2023 certificates. From June 2026, it will be unable to receive boot-level security fixes. If you’re on Windows 10 without ESU, you won’t get the update automatically. Enrol in ESU or upgrade to Windows 11 immediately.
Beyond the Zero-Days
Other High-Priority Vulnerabilities in April’s Update
Eight vulnerabilities carry a “Critical” rating. Seven involve remote code execution. Tap any entry to read what it affects and why it matters.
CVSS: 9.8 (highest this month). An unauthenticated attacker can send specially crafted network packets to a Windows machine with IKE version 2 enabled and execute arbitrary code remotely. No user interaction required. Affects Windows Server 2016–2025 and Windows 10/11 across multiple architectures. Patch immediately — especially on internet-facing servers.
Affects identity infrastructure directly. Improper input validation in RPC handling allows an authenticated attacker to execute arbitrary code within the domain. Low exploitation complexity combined with Active Directory’s central role means a successful attack can escalate to full domain takeover. Enterprises should prioritise this alongside the IKE flaw.
Sits in core networking. A flaw in the Windows TCP/IP stack that can be exploited across standard network connections. Because TCP/IP underpins essentially all network communication on a Windows machine, the reach of this vulnerability is broad. Apply patches on all networked Windows endpoints.
Triggerable via the preview pane. This flaw — alongside similar issues in Word and Excel — can be exploited simply by previewing a malicious document in File Explorer or Outlook, without opening the file. Particularly dangerous in environments where users handle external email attachments regularly.
Use-after-free flaw. Triggered when a user connects to a malicious or compromised Remote Desktop server. If exploited, the attacker gains code execution on the client machine. Remote workers connecting to external or untrusted RDP servers should apply this patch as a priority.
Network-level denial of service. The one Critical flaw this month that is a DoS rather than RCE. An unauthenticated attacker can crash .NET-based services remotely. Organisations running web applications or APIs built on .NET should apply this patch promptly.
Source: Microsoft Security Response Center — April 2026 Update Guide
Why 167 CVEs?
AI Tools Are Finding More Bugs — At Scale
April 2026 is the second-largest Patch Tuesday in Microsoft’s history. The record holder is October 2025, when 183 flaws were addressed. Researchers and security vendors have pointed to a surge in AI-assisted vulnerability discovery as a likely factor behind the increasing monthly totals.
“By my count, this is the second-largest monthly release in Microsoft’s history. If Microsoft is like other programs out there, they are likely seeing a rise in submissions found by AI tools. Our incoming rate has essentially tripled, making triage a challenge.”
— Dustin Childs, Head of Threat Awareness, Trend Micro Zero Day Initiative
Microsoft’s Security Response Center acknowledged the size of the release, noting that the number of patches in any given month can vary significantly. In a statement, Microsoft confirmed that one vulnerability this month was credited to an Anthropic researcher using Claude — part of a growing trend of AI-assisted security research. Microsoft also noted it is actively using AI tools internally to find and fix vulnerabilities more quickly.
Satnam Narang, senior staff research engineer at Tenable, noted that April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also pointed out that elevation-of-privilege bugs have dominated the Patch Tuesday cycle over the last eight months, accounting for a record 57% of all CVEs patched in April, while remote code execution vulnerabilities dropped to just 12%. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit code no longer works after installing this month’s patches.
Separately, the unusually high browser vulnerability count — 80 Chromium/Edge CVEs — was driven by Microsoft publishing a batch of more than 60 browser patches on a single day last week, described by researchers as a record for that specific category. This was not linked to any single AI model announcement, but researchers say the broader increase in AI-powered bug-finding is “accelerating” and is expected to continue.
“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further.”
— Adam Barnett, Lead Software Engineer, Rapid7
For context on how AI is reshaping the software ecosystem, see our report on Apple’s AI leadership changes in April 2026.
Also This Month
Other Critical Updates You Should Not Delay
April’s patch wave went well beyond Microsoft. Several other widely used products received urgent fixes.
Adobe Reader & Acrobat
Actively exploited zero-day — CVE-2026-34621
An emergency update from Adobe fixes a remote code execution flaw in Reader and Acrobat. Researchers have indicated exploitation has been occurring since at least November 2025. Opening a malicious PDF can trigger code execution. Update immediately.
Google Chrome
Fourth zero-day of 2026 — CVE-2026-5281
Chrome’s fourth zero-day this year was patched earlier this month. The fix was included in an update that addressed 21 security holes. If you haven’t fully closed and restarted Chrome since then, the update has not been applied. Restart your browser now.
Apache ActiveMQ Classic
RCE vulnerability undetected for 13 years
Apache patched a remote code execution flaw in ActiveMQ Classic that had gone undetected for 13 years. Organisations running Apache ActiveMQ Classic in any environment should check their version and apply the patch.
Fortinet & Cisco
Actively exploited enterprise product flaws
Fortinet fixed an actively exploited critical flaw in FortiClient EMS (CVE-2026-35616). Cisco released updates including an IMC authentication bypass that allows Admin-level access. Both require urgent attention in enterprise environments.
Your Action List
What to Do Right Now
Four things every Windows user should do this week.
🔴
Run Windows Update today
Settings → Windows Update → Check for updates. Install all available patches. Windows 11 users can do this directly. Windows 10 users need to be enrolled in the
Extended Security Update (ESU) programme.
🔐
Check Secure Boot status in the app
Open Windows Security → Device Security → Secure Boot. Don’t just look for a green badge — read the full text confirmation that all 2023 certificates have been applied.
🌐
Restart your browser fully
Completely close and reopen Chrome, Edge, or Firefox. This is the only way to guarantee browser security updates take effect. Minimising or using a background tab does not apply pending patches.
📄
Update Adobe Reader & Acrobat
Open Adobe Reader → Help → Check for Updates. The emergency patch for CVE-2026-34621 is already available. If you open PDFs in a browser, ensure the browser’s built-in viewer or Adobe plugin is updated too.
Summary
Microsoft’s April 2026 Patch Tuesday covered 167 vulnerabilities across Windows, Office, SharePoint, Defender, .NET, and related software. The release was identified by researchers as the second-largest monthly security update in Microsoft’s history, below the record of 183 CVEs set in October 2025. Two zero-days were addressed: an actively exploited SharePoint spoofing flaw (CVE-2026-32201, CVSS 6.5) and the publicly disclosed “BlueHammer” Windows Defender privilege escalation bug (CVE-2026-33825, CVSS 7.8). Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit code no longer functions after this month’s patches are applied. Satnam Narang of Tenable noted this is the second time a SharePoint Server spoofing vulnerability has been exploited as a zero-day — the previous instance was CVE-2025-49706 in July 2025.
The April update also introduced Secure Boot certificate status reporting in the Windows Security app. The Microsoft Secure Boot certificates originally issued in 2011 were discussed, with the first set beginning expiration in June 2026 and the final set in October 2026. The updated 2023 certificates were covered as being delivered automatically via Windows Update for supported, managed devices. More in-app and system alerts were announced by Microsoft for May 2026. Full guidance is available in Microsoft’s official Secure Boot status page and the Windows IT Pro Blog.
For related coverage, see our articles on iOS 26 bug fixes, WhatsApp Web 4.9 chat themes, and Apple CarPlay Ultra confirmed for 2026 vehicles. Live updates were also posted via PCMag on X.
