Patch Tuesday April 2026: Record 167 Flaws Fixed, Active Exploits in SharePoint and Defender

Microsoft's April 2026 Patch Tuesday addressed a staggering 167 security vulnerabilities, setting a new record and including actively exploited flaws in SharePoint Server and Windows Defender. Google also patched its fourth Chrome zero-day of the year, while Adobe released an emergency update for Reader to fix a bug already under attack. We break down the key updates and expert insights in this Q&A.

What made the April 2026 Patch Tuesday so significant?

April 2026 Patch Tuesday was Microsoft's second-largest ever, according to Tenable's Satnam Narang, and set a new record for total vulnerabilities patched in a single month—167 in all. Rapid7's Adam Barnett noted that nearly 60 of these were browser-related, a sharp spike he attributes to expanding AI capabilities rather than Microsoft's recent Project Glasswing announcement. The sheer volume underscores the growing challenge for IT teams, with exploitation already underway for several critical flaws. Beyond Microsoft, Google fixed a fourth Chrome zero-day in 2026, and Adobe issued an emergency update for Reader to address an actively exploited remote code execution bug tracked as CVE-2026-34621.

What is the SharePoint Server zero-day (CVE-2026-32201) and how is it being exploited?

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server that allows attackers to present falsified content or interfaces within trusted SharePoint environments. Mike Walters of Action1 warned that it enables highly convincing phishing attacks, data manipulation, and social engineering campaigns. Because exploitation is already active in the wild, organizations face elevated risk—especially those relying on SharePoint for internal communications. The bug can trick employees, partners, or customers into revealing credentials or authorizing fraudulent actions. Microsoft's patch was released on April 14, 2026, and should be applied immediately. Walters emphasized that active exploitation significantly increases the urgency, as attackers may already have footholds.

What is the BlueHammer vulnerability (CVE-2026-33825) in Windows Defender?

BlueHammer (CVE-2026-33825) is a privilege escalation flaw in Microsoft's Windows Defender antivirus. It was publicly disclosed with exploit code after the researcher grew frustrated with Microsoft's response time. Will Dormann of Tharros confirmed that applying the April 2026 patches renders the public exploit code ineffective. The bug could allow an attacker to gain elevated privileges on a system, potentially bypassing security controls. Because exploit code was published, the risk of widespread use increased before patching. Microsoft addressed it in this Patch Tuesday release, and security experts urge immediate deployment. This incident highlights ongoing tensions between researchers and vendors over disclosure timelines, but the fix is now available.

What did Adobe patch in its emergency Reader update?

On April 11, 2026, Adobe released an emergency security update for Reader (and Acrobat) to fix CVE-2026-34621, a critical vulnerability that allows remote code execution. Tenable's Satnam Narang noted evidence that this flaw has been actively exploited since at least November 2025—meaning attackers had a multi-month window before Adobe shipped a fix. The bug affects Windows and macOS versions of the software. Adobe rated it as critical priority because exploitation could lead to full system compromise. Users should update to the latest version immediately. This serves as a reminder that even widely used productivity tools can carry long-unpatched zero-days, and emergency updates often signal active attacks.

Why did browsers account for so many vulnerabilities this month?

Of the 167 Microsoft patches, nearly 60 targeted the Edge browser, which is built on Chromium. Adam Barnett of Rapid7 explained that while some might link this spike to Anthropic's Project Glasswing AI bug-finding tool, the real driver is likely broader adoption of AI for vulnerability discovery. Chromium maintainers credit a wide range of researchers for the flaws Microsoft republished. AI models are becoming increasingly capable of finding subtle bugs across large codebases, and this month's volume may be a sign of things to come. Barnett expects vulnerability reporting to continue rising as AI tools improve. Regardless of cause, users should ensure their browsers are updated—Edge updates are included in Windows Update, and Chrome users should manually restart after updates.

What final steps should users take after installing these patches?

After applying Microsoft's Patch Tuesday updates, Chrome's zero-day fix, and Adobe's emergency update, the most critical step is to fully close and restart all browsers and affected applications. Many updates—especially for browsers—only take effect after a complete restart. Users should also verify that the updates were installed successfully by checking Windows Update history or the respective software's version number. For organizations, prioritizing the SharePoint zero-day and BlueHammer fixes is essential given active exploitation. Additionally, monitor for any unusual activity post-update, and consider enabling multi-factor authentication to mitigate phishing risks from CVE-2026-32201. Staying current on patches is the best defense against known attacks.