preloader
UNYK

April 2026 Patch Tuesday: 93 Elevation-of-Privilege Bugs & The Local Admin Multiplier

Dark editorial illustration showing a fractured Windows shield with the number 93 in glowing teal, representing the 93 elevation-of-privilege CVEs in April 2026 Patch Tuesday
April 2026 Patch Tuesday landed with 163 CVEs – and 93 of them were elevation-of-privilege bugs. That’s a record 57% of the release in a single category. Here’s what stands out, why “local LPE” keeps dominating, and why local admin rights make every one of them worse.

April 2026 Patch Tuesday is in the rear-view mirror, and the headline is hard to miss: Microsoft shipped fixes for around 163 CVEs, and 93 of them – 57% – were elevation-of-privilege (EoP) bugs. Two zero-days were already public, including the BlueHammer Windows LPE we wrote about earlier this month, now formally tracked as CVE-2026-33825.

That makes April 2026 the largest single-release pile of privilege-escalation fixes Microsoft has shipped in a long time. It is also a continuation of a pattern. February’s release was 25 EoP bugs. January’s was 58. Three months in a row, the dominant Windows vulnerability class has been “turn a low-privileged local user into SYSTEM”.

If your endpoint security model still leans on “our users are local admins, but we patch quickly,” this is the month to revisit that assumption.

What stood out in this release

You can read the full list on the usual write-ups (Rapid7, Tenable, ZDI, Krebs – links at the bottom). For the local-admin and least-privilege story, these are the ones that matter:

  • CVE-2026-33825 – Microsoft Defender Antimalware Platform (BlueHammer). The publicly disclosed zero-day from earlier this month. Abuses Defender’s signature update process, chains a TOCTOU race with path confusion, ends with SYSTEM. Now patched, but exploit code is still in the wild.
  • CVE-2026-26173, CVE-2026-26177, CVE-2026-27922 – Windows Ancillary Function Driver for WinSock (AFD.sys). Three separate kernel-driver EoPs in a component every Windows machine loads. AFD.sys has a long history of LPE bugs and remains a favourite target for attackers chasing SYSTEM.
  • CVE-2026-27908, CVE-2026-27921 – Windows TDI Translation Driver (tdx.sys). Two more kernel-level EoPs in the networking stack. Same shape: local user, SYSTEM, full machine compromise.
  • CVE-2026-26159 – Remote Desktop Licensing Service. Authenticated EoP affecting Windows Server 2012 R2 through 2025. Not a client-side bug, but a reminder that “authenticated local user” is exactly the foothold attackers spend their phishing budget on.
  • A Windows Kernel zero-day. The second of the two actively exploited zero-days in this release. SYSTEM-level escalation, already in attacker hands before the patch shipped.

The common thread is not subtle. Almost every one of these bugs starts with “an attacker with code execution as a local user” and ends with “SYSTEM”. That is the privilege-escalation gap. It is what least privilege is supposed to widen, and what attackers spend their time trying to close.

Why “local LPE” keeps dominating

Three months of EoP-heavy patch cycles is not a coincidence. A few things are driving it:

  • Initial access is cheaper than ever. Phishing kits, infostealers, malicious browser extensions, and compromised installers all reliably deliver code execution as a low-privileged user. Attackers do not need a Windows RCE if they can get a click.
  • The remaining attack surface lives below the user. Once you are running as a normal user, the next interesting boundary is SYSTEM. Kernel drivers (AFD.sys, tdx.sys), built-in services (Defender, WER, Cloud Files), and helper processes are all candidates. They get a lot of researcher and attacker attention.
  • Defenders’ breakout time is shrinking. As we covered in You Don’t Have an Hour Anymore, attackers now move from initial access to lateral movement in minutes. EoP is the link in that chain that turns a single endpoint into the rest of your estate.

None of that means Windows is uniquely fragile. It means the LPE category is structurally important, and it is not going away.

Why local admin rights make every one of these worse

An EoP bug is most useful to an attacker when it bridges a meaningful gap. If your users are standard users, the gap from “phished foothold” to “SYSTEM” is real, and exploiting any of the bugs above takes time, leaves signals, and gives defenders a window to act.

If your users are already local admins, that gap barely exists. The attacker is already most of the way there. EoP becomes a convenience rather than a necessity. Detection windows shrink. Containment options shrink. The blast radius of one phishing click looks a lot more like a full-machine compromise.

That is the local admin multiplier. Every privilege-escalation CVE Microsoft ships gets worse when your starting point is “the user already has admin”. 93 EoP fixes in a single month is a lot of multipliers to be exposed to.

What to do this month

  • Patch fast, especially the kernel-driver and Defender EoPs. AFD.sys, tdx.sys and CVE-2026-33825 should be near the top of your April rollout.
  • Audit your local admin footprint. If you cannot answer “which users on which machines are local admins, and why?” in under an hour, that is the first thing to fix. Our Local Admin Retirement Checklist is a practical place to start.
  • Treat “app needs admin” as a hypothesis, not a fact. Most of the time it is the updater, a helper EXE, or one specific install action – not the whole user account. We unpacked this in The Hidden Least-Privilege Problem and The 6 Legacy App Behaviors That “Require Admin”.
  • Stop typing admin passwords into UAC prompts. If your “solution” for legacy apps is a shared admin credential, you have an audit problem and a credential-theft problem. There are safer ways to handle admin moments.
  • Plan for the next 93. May’s Patch Tuesday will have its own pile of EoPs. Build an endpoint model that does not depend on Microsoft never shipping another LPE.

Running Legacy Apps That Still Need Elevation?

If the only thing keeping your users in the local Administrators group is a handful of legacy or specialist applications that break without elevated permissions, that is exactly the problem Elevator is designed to solve.

Elevator is a lightweight Windows utility that elevates just the applications you approve – automatically and silently – while keeping your users as standard users everywhere else. No more “they need local admin for that one app.” No more shared admin passwords. And when the next 93 EoP bugs land, your blast radius is already smaller.

Try Elevator free → or get pricing and deployment guidance.

Related reading

Share the Post:

Related Posts