Microsoft Patch Tuesday April 2026: 167 Vulnerabilities, SharePoint Zero-Day & BlueHammer Fix

April 2026 Patch Tuesday: By the Numbers

Microsoft's April 2026 Patch Tuesday is one for the record books. With 167 security vulnerabilities patched across Windows and related software, it marks the second-biggest Patch Tuesday ever, according to Satnam Narang, senior staff research engineer at Tenable.

SharePoint Server Zero-Day: CVE-2026-32201

The most urgent fix is CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that is already being actively exploited in the wild. The flaw allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, explained the real-world impact:

"This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk."

What makes this particularly dangerous:

• Trusted environment exploitation — SharePoint is used internally by organizations, so employees are less likely to question content that appears within it
• Social engineering vector — attackers can present falsified information to deceive employees, partners, or customers
• Active exploitation confirmed — this isn't theoretical; attacks are happening now

BlueHammer: Windows Defender Privilege Escalation (CVE-2026-33825)

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender that was publicly disclosed before the patch was available.

The backstory is notable: the security researcher who discovered the flaw published exploit code after notifying Microsoft and growing exasperated with their response time. This is a recurring tension in the security community — researchers want vendors to act quickly, while vendors often need time to develop and test patches.

The good news: Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit code no longer works after installing today's patches.

~60 Browser Vulnerabilities: A New Record

Adam Barnett, lead software engineer at Rapid7, called the patch total "a new record in that category" because it includes nearly 60 browser vulnerabilities. Since Microsoft Edge is based on the Chromium engine, many of these were originally reported to the Chromium project and republished by Microsoft.

Barnett noted that while it might be tempting to link this spike to the recent announcement of Project Glasswing — a much-hyped AI capability from Anthropic reportedly excellent at finding software bugs — the reality is more nuanced:

"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."

This is a significant trend for businesses to watch: AI is accelerating vulnerability discovery, which means more patches, more frequently, across more software.

Google Chrome: Fourth Zero-Day of 2026

Separately from Microsoft's patches, Google Chrome fixed its fourth zero-day of 2026. An update released earlier this month patched 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

Adobe Reader Emergency Patch: CVE-2026-34621

Adobe issued an emergency update on April 11 for CVE-2026-34621, an actively exploited flaw in Adobe Reader that can lead to remote code execution — one of the most dangerous vulnerability types.

According to Tenable's Satnam Narang, there are indications this vulnerability has been exploited in the wild since at least November 2025 — meaning attackers had roughly five months of exploitation before a patch was available.

The AI Factor: Why Vulnerability Counts Are Surging

The record-breaking patch count isn't a one-off. It reflects a fundamental shift in how vulnerabilities are discovered:

• AI-powered bug hunting — tools like Project Glasswing and other AI models are finding vulnerabilities at unprecedented scale
• Broader researcher access — AI capabilities are becoming more available, enabling more researchers to find more bugs
• Chromium's massive codebase — the shared engine behind Chrome, Edge, Brave, and Opera means one vulnerability affects billions of users
• Expect this to continue — as AI models improve, vulnerability reporting volume will keep increasing

For businesses, this means patching cadence needs to accelerate. Monthly patch cycles may no longer be sufficient when critical zero-days are being discovered and exploited between cycles.

What You Should Do Right Now

1. Apply Microsoft patches immediately — especially if you use SharePoint Server (CVE-2026-32201 is actively exploited)
2. Update Windows Defender — the BlueHammer exploit code is public; patching neutralizes it
3. Restart your browser — close and reopen Chrome, Edge, or whatever you use to apply pending security updates
4. Update Adobe Reader — CVE-2026-34621 allows remote code execution and has been exploited for months
5. Review your patching process — if you're still on monthly cycles, consider moving to weekly or continuous patching for critical systems
6. Monitor SANS ISC — check the SANS Internet Storm Center for a detailed per-patch breakdown

Frequently Asked Questions

How many vulnerabilities did Microsoft fix in April 2026?

Microsoft fixed 167 security vulnerabilities, making it the second-biggest Patch Tuesday ever. This includes nearly 60 browser vulnerabilities, a SharePoint Server zero-day (CVE-2026-32201), and the BlueHammer Windows Defender privilege escalation bug (CVE-2026-33825).

What is the SharePoint zero-day CVE-2026-32201?

CVE-2026-32201 is an actively exploited vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network. It can enable phishing attacks, unauthorized data manipulation, and social engineering campaigns within trusted SharePoint environments.

What is BlueHammer (CVE-2026-33825)?

BlueHammer is a privilege escalation vulnerability in Windows Defender. The researcher who discovered it published exploit code after growing frustrated with Microsoft's response. The April 2026 patches fully resolve the issue and the public exploit code no longer works after updating.

Did Google Chrome also have a zero-day in April 2026?

Yes. Google Chrome fixed its fourth zero-day of 2026 — CVE-2026-5281, a high-severity flaw patched earlier in April along with 21 other security holes. Users should restart their browser to ensure the update is applied.

What Adobe Reader vulnerability was patched?

Adobe issued an emergency update on April 11 for CVE-2026-34621, an actively exploited flaw in Adobe Reader that can lead to remote code execution. There are indications this vulnerability has been exploited in the wild since at least November 2025.