Massive April 2026 Patch Tuesday: Over 160 Flaws Fixed, Including Zero-Days in SharePoint, Windows Defender, Chrome, and Adobe

Microsoft's April 2026 Patch Tuesday brought a colossal update, addressing 167 security vulnerabilities across its software ecosystem. Among the critical fixes were a SharePoint Server zero-day already under active attack, a publicly disclosed Windows Defender privilege escalation flaw known as "BlueHammer," and an emergency Adobe Reader patch for a flaw exploited since late 2025. Google also shipped its fourth Chrome zero-day of the year. This month's release marks the second-largest Patch Tuesday in Microsoft's history, with a record number of browser-related fixes.

Microsoft's Second-Largest Patch Tuesday

April's cumulative patch tally is only exceeded by a previous record, but it still sets a new high for browser vulnerability fixes. Out of the 167 CVEs, nearly 60 target Microsoft Edge, which shares the Chromium engine with Google Chrome. This surge has sparked speculation about the role of AI in vulnerability discovery, particularly in light of Anthropic's Project Glasswing announcement.

SharePoint Server Zero-Day Actively Exploited (CVE-2026-32201)

Microsoft warned that attackers are already exploiting CVE-2026-32201, a spoofing vulnerability in SharePoint Server. The flaw allows an unauthenticated attacker to present falsified content or interfaces within trusted SharePoint environments, opening the door to phishing, data manipulation, and social engineering campaigns. Mike Walters, president and co‑founder of Action1, emphasized the risk: "This CVE can deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. The presence of active exploitation significantly increases organizational risk." Organizations are urged to prioritize this patch, especially those relying on SharePoint for internal collaboration.

Windows Defender 'BlueHammer' Vulnerability (CVE-2026-33825)

Another notable fix is CVE-2026-33825, a privilege escalation bug in Windows Defender dubbed "BlueHammer." The researcher who discovered the flaw publicly released exploit code after becoming frustrated with Microsoft's response time. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that installing this month's patches neutralizes the public exploit. Nevertheless, the incident underscores ongoing tensions between security researchers and vendors over disclosure timelines.

Emergency Fixes for Adobe and Chrome

Outside the Microsoft universe, two other major vendors shipped critical updates for actively exploited vulnerabilities.

Adobe Reader Zero-Day (CVE-2026-34621)

On April 11, Adobe released an emergency update for Reader and Acrobat to address CVE-2026-34621, a remote code execution flaw that has been exploited in the wild since at least November 2025. Satnam Narang, senior staff research engineer at Tenable, highlighted the extended period of active exploitation, urging all users to apply the patch immediately. Given the widespread use of PDF files in enterprise workflows, this vulnerability poses a serious threat to systems that lag behind on updates.

Google Chrome Fourth Zero-Day of 2026

Google also pushed an emergency update for Chrome, fixing the browser's fourth zero-day of the year. While details are sparse, the update is classified as critical and users should restart their browsers to activate the fix. Combined with the Microsoft Edge fixes, this month has been particularly busy for those maintaining Chromium-based browsers.

The Surge in Browser Vulnerabilities

The sheer number of browser vulnerabilities in April's Patch Tuesday—nearly 60—has drawn attention. Adam Barnett, lead software engineer at Rapid7, called it "a new record in that category." He noted that it might be tempting to attribute the spike to the buzz around Anthropic's Project Glasswing, a much-hyped AI capability reportedly adept at finding bugs. However, Barnett clarified that Microsoft Edge incorporates fixes from the Chromium project, which acknowledges many external researchers. "A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities," Barnett said. "We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."

Patching Recommendations

With so many critical updates, IT administrators should act quickly. Organizations should apply the Microsoft SharePoint and Windows Defender patches first, given active exploitation. The Adobe Reader emergency update and the latest Chrome version should also be installed without delay. Finally, no matter which browser you use, a full restart is essential to ensure patches take effect. Regular patching, combined with a strong vulnerability management program, remains the best defense against zero-day attacks and commodity malware.