April 2026 Patch Tuesday: Everything You Need to Know

Welcome to the April 2026 Patch Tuesday roundup—a month that broke records and kept security teams on high alert. Microsoft released updates for a staggering 167 vulnerabilities, including two critical zero-days: one in SharePoint Server (CVE-2026-32201) actively exploited in the wild, and the BlueHammer privilege escalation flaw in Windows Defender (CVE-2026-33825). Beyond Redmond, Google Chrome fixed its fourth zero-day of the year, and Adobe issued an emergency patch for Reader (CVE-2026-34621) that attackers have been using since late 2025. Industry experts weigh in on the implications, from phishing risks to the growing role of AI in vulnerability discovery. Below, we answer the most pressing questions about this month's updates. Jump to: Record-breaking patch count | SharePoint zero-day details | BlueHammer saga | Other zero-days | AI and browser bugs | Protecting yourself

How many vulnerabilities did Microsoft fix in April 2026, and why is this month so significant?

Microsoft released patches for a total of 167 security holes across Windows and related software—a new record for the company. Satnam Narang, senior staff research engineer at Tenable, noted that April marks the second-biggest Patch Tuesday ever for Microsoft. Adam Barnett of Rapid7 highlighted that nearly 60 of those vulnerabilities affected web browsers alone. While some speculated that the surge was tied to the recent Project Glasswing announcement—an hyped AI bug-finding tool from Anthropic—Barnett pointed out that Microsoft Edge is built on Chromium, and the Chromium project regularly credits a broad range of researchers. He concluded, “A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities.” The sheer number of fixes underscores the escalating complexity of the threat landscape and the need for organizations to prioritize patch management.

What is the SharePoint Server zero-day (CVE-2026-32201) and how is it being exploited?

CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server that allows attackers to present falsified trusted content or interfaces over a network. Mike Walters, president of Action1, warned that this flaw can be used to deceive employees, partners, or customers by displaying fake information within legitimate SharePoint environments. He explained, “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise.” Microsoft confirmed active exploitation, meaning attackers are already leveraging this bug in real-world attacks. Walters emphasized that the presence of active exploitation “significantly increases organizational risk.” Organizations using SharePoint should apply the April updates immediately and review user permissions to limit potential damage from spoofed content.

What is the BlueHammer vulnerability in Windows Defender (CVE-2026-33825) and how was it disclosed?

BlueHammer (CVE-2026-33825) is a privilege escalation flaw in Windows Defender. According to BleepingComputer, the researcher who discovered the bug publicly released exploit code after growing frustrated with Microsoft’s response time. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public exploit no longer works after installing the April patches. This incident highlights the delicate balance between responsible disclosure and the pressure researchers feel when fixes are delayed. BlueHammer allowed an attacker to gain elevated privileges on a system, potentially bypassing security controls. While the patch closes the door, the public availability of the exploit code prior to patching increased risk for unpatched systems. Organizations should ensure Defender and all security products are updated promptly.

What other zero-day vulnerabilities were patched this month outside of Microsoft?

Two notable zero-days were addressed beyond Microsoft’s ecosystem. Google Chrome fixed its fourth zero-day of 2026, though details remain sparse to avoid further exploitation. Separately, Adobe issued an emergency update for Reader (CVE-2026-34621) to patch an actively exploited flaw that can lead to remote code execution. Satnam Narang noted that exploitation of this Adobe bug has been observed since at least November 2025, meaning attackers had a head start of several months. Adobe’s out-of-band patch underscores the critical nature of the vulnerability. Users of both Chrome and Adobe Reader should update immediately. These incidents reinforce that Patch Tuesday isn’t just about Microsoft—third-party software also requires vigilance.

Is there a connection between the surge in browser vulnerabilities and AI advancements?

The record number of browser-related patches—nearly 60—has sparked discussion about the role of artificial intelligence in vulnerability discovery. Some experts, like Adam Barnett, pointed to the timing with Project Glasswing, a new AI capability from Anthropic that is reportedly excellent at finding bugs. However, Barnett cautioned that the sudden spike mainly reflects the fact that Microsoft Edge is based on Chromium, and Chromium maintainers acknowledge a wide range of researchers for vulnerabilities that Microsoft republished. “A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.” AI is likely accelerating both discovery and exploitation, making proactive patching more important than ever.

What should users do to protect themselves after this Patch Tuesday?

First and foremost, apply all Microsoft updates immediately, especially those for SharePoint Server (CVE-2026-32201) and Windows Defender (CVE-2026-33825). Update Google Chrome and Adobe Reader to their latest versions. In addition, restart your browser completely after updating—simply closing and opening a tab may not fully apply the fix. For enterprises, Mike Walters recommends reviewing user permissions in SharePoint to limit the impact of spoofing attacks. Enable automatic updates where possible, and consider using a vulnerability management platform to track unpatched systems. Finally, educate employees about phishing and social engineering attempts that may exploit these vulnerabilities. With AI-driven attacks on the rise, a layered defense that includes timely patching, user awareness, and network segmentation is essential.