Microsoft April 2026 Patch Tuesday: 167 CVEs and Zero-Days

Microsoft's April 2026 Patch Tuesday: A Historic Security Update

Microsoft has released its April 2026 Patch Tuesday update, fixing a staggering 167 security vulnerabilities across Windows operating systems and related software. Security researchers are calling it the second-biggest Patch Tuesday in Microsoft's history — and for good reason. This month's release addresses an actively exploited SharePoint Server zero-day, a publicly disclosed Windows Defender privilege escalation bug dubbed "BlueHammer," and nearly 60 browser-related flaws. Combined with an emergency Adobe Reader patch and Google Chrome's fourth zero-day fix of 2026, April's update cycle demands immediate attention from every IT and security team.

SharePoint Zero-Day Under Active Attack: CVE-2026-32201

The most urgent vulnerability in this month's release is CVE-2026-32201, a zero-day flaw in Microsoft SharePoint Server that is already being exploited in the wild. Microsoft warns that attackers are leveraging this vulnerability to spoof trusted content or interfaces over a network, opening the door to a wide range of follow-on attacks.

Mike Walters, president and co-founder of Action1, explained the real-world implications clearly:

"This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk."

Organizations relying on SharePoint for internal communications, document management, or partner portals should treat this patch as a top priority. Attackers exploiting CVE-2026-32201 can deceive employees, partners, or customers by presenting falsified information within an environment those users inherently trust. This makes it a potent tool for credential theft, business email compromise, and supply chain attacks.

BlueHammer: The Windows Defender Privilege Escalation Bug

Microsoft also patched CVE-2026-33825, a privilege escalation vulnerability in Windows Defender that has been publicly dubbed "BlueHammer." Unlike the SharePoint zero-day, this flaw became publicly disclosed after the researcher who discovered it grew frustrated with Microsoft's response timeline and released working exploit code before a patch was available.

The good news: Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit code no longer functions after applying today's patches. However, the window between public disclosure and this patch represents a meaningful period of exposure for unpatched systems. Privilege escalation bugs in a core security component like Windows Defender are particularly dangerous — a threat actor who gains initial access to a system can leverage such a flaw to achieve SYSTEM-level privileges and fully compromise the host.

CVE-2026-33825 affects Windows Defender across multiple Windows versions
Public exploit code was available prior to today's patch
Patching immediately eliminates the known public exploit vector

Adobe Reader Emergency Patch: CVE-2026-34621

On April 11 — ahead of the regular Patch Tuesday cycle — Adobe released an emergency update for Adobe Reader to address CVE-2026-34621, a critical flaw that can lead to remote code execution (RCE). This out-of-band release signals the severity of the issue: Adobe and Microsoft do not push emergency patches lightly.

Satnam Narang, senior staff research engineer at Tenable, revealed that evidence suggests active exploitation of this vulnerability may date back to at least November 2025 — meaning attackers may have been silently leveraging this flaw for nearly five months before a patch was made available. If your organization has not yet applied the emergency Adobe Reader update, it should be treated as critically overdue.

Google Chrome's Fourth Zero-Day of 2026: CVE-2026-5281

Google also patched a high-severity zero-day in Chrome earlier this month, marking the browser's fourth zero-day vulnerability of 2026. The flaw, tracked as CVE-2026-5281, was included in a Chrome update that addressed 21 security holes in total.

This is a critical reminder for end users and administrators alike: keeping a browser window open indefinitely does not mean you are running a patched version. Browser updates only take effect after the browser is fully closed and relaunched. If you — or your users — habitually leave dozens of tabs open and never restart the browser, you may be running a vulnerable version without knowing it.

Chrome CVE-2026-5281 is rated high severity
The fix is only applied after a full browser restart
This is Chrome's fourth zero-day patched in 2026 alone

Nearly 60 Browser Vulnerabilities: Is AI Driving the Surge?

One of the most striking statistics from this Patch Tuesday is the inclusion of nearly 60 browser-related vulnerabilities. Adam Barnett, lead software engineer at Rapid7, noted this sets a new record in that specific category, driven largely by the fact that Microsoft Edge is built on the Chromium engine and republished a broad set of upstream Chromium fixes.

The timing has sparked speculation: could the recent announcement of Project Glasswing — a much-hyped AI capability from Anthropic reportedly proficient at finding software bugs — be contributing to the spike? Barnett cautions against drawing a direct line, noting the Chromium maintainers acknowledge a wide range of independent researchers for these discoveries. But he does point to a broader trend:

"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."

Whether or not AI tooling is directly responsible for this month's record numbers, the trajectory is clear: vulnerability discovery is accelerating, and patch management programs must scale to keep pace.

Patch Priority Recommendations

Given the volume and severity of this month's releases, security teams should triage their patching efforts in the following order:

Immediate (within 24-48 hours): CVE-2026-32201 (SharePoint zero-day, actively exploited), CVE-2026-34621 (Adobe Reader RCE, likely exploited since November 2025)
High priority (within 1 week): CVE-2026-33825 (BlueHammer/Windows Defender privilege escalation, public exploit available), CVE-2026-5281 (Chrome zero-day)
Standard cycle: Remaining 163+ Microsoft CVEs — review CVSS scores and asset exposure to prioritize within your environment

Conclusion: Act Now on April's Record-Breaking Patch Tuesday

April 2026's Patch Tuesday is not one to defer. With 167 Microsoft CVEs — including an actively exploited SharePoint zero-day and a publicly disclosed Windows Defender privilege escalation bug — alongside critical fixes from Adobe and Google, the attack surface left by unpatched systems is substantial. Security teams should initiate emergency patching for the actively exploited and publicly disclosed vulnerabilities immediately, while accelerating their standard patch deployment cycle for the remaining fixes. As AI continues to enhance vulnerability research capabilities on both sides of the security equation, months like this one are likely to become the new norm rather than the exception.

For a detailed, per-patch breakdown with clickable CVE references, consult the SANS Internet Storm Center's April 2026 Patch Tuesday roundup.