Microsoft’s April 2026 Patch Tuesday Shatters Records: 167 Flaws, Active Exploits, and AI-Driven Vulnerability Surge

Microsoft released a record-breaking 167 security fixes in its April 2026 Patch Tuesday update, including a SharePoint Server zero-day that attackers are already exploiting and a publicly disclosed privilege escalation flaw in Windows Defender known as BlueHammer. Separately, Google Chrome patched its fourth zero-day of the year and Adobe issued an emergency fix for a reader vulnerability that has been used in active attacks since at least November 2025.

Key Vulnerabilities

SharePoint Server Zero-Day Under Active Attack

Microsoft warns that threat actors are actively targeting CVE-2026-32201, a spoofing vulnerability in SharePoint Server. Mike Walters, president and co-founder of Action1, explained that the flaw lets attackers present falsified content within trusted SharePoint environments, enabling phishing and social engineering campaigns. "This CVE can deceive employees, partners, or customers, and active exploitation significantly increases organizational risk," Walters said.

Microsoft’s April 2026 Patch Tuesday Shatters Records: 167 Flaws, Active Exploits, and AI-Driven Vulnerability Surge — Source: krebsonsecurity.com

BlueHammer: Public Exploit Code Now Patched

The BlueHammer vulnerability (CVE-2026-33825) is a privilege escalation bug that security researcher Will Dormann of Tharros confirmed can no longer be exploited after today’s patch. The researcher who discovered it published exploit code after growing frustrated with Microsoft’s response, according to BleepingComputer. "The public exploit code no longer works after installing the update," Dormann noted.

Adobe Reader Emergency Patch for Actively Exploited Flaw

Adobe released an out-of-band update on April 11 for CVE-2026-34621, a remote code execution flaw in Adobe Reader. Satnam Narang, senior staff research engineer at Tenable, stated that evidence shows exploitation dating back to at least November 2025. Users are urged to restart their browsers after updating to ensure protection.

Google Chrome Fourth Zero-Day of 2026

Google also fixed its fourth Chrome zero-day this year, though details remain limited. The update is rolling out automatically and users are advised to restart their browsers.

Background

This Patch Tuesday sets a new record for Microsoft with 167 vulnerabilities addressed. According to Adam Barnett, lead software engineer at Rapid7, nearly 60 of those flaws are in Microsoft Edge, which is built on the Chromium engine. "It might be tempting to link the spike to the announcement of Project Glasswing, an unreleased AI capability from Anthropic that is reportedly adept at finding bugs, but the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities," Barnett said. He added that the likely driver is the expanding role of AI in vulnerability discovery: "We should expect further increases in reporting volume as AI models become more capable and accessible."

What This Means

Organizations must prioritize patching the actively exploited SharePoint and Adobe flaws immediately. The sheer volume of fixes—especially the browser-related ones—highlights the growing attack surface in modern software. Security teams should also monitor for AI-generated exploits, as the trend of AI-assisted vulnerability discovery promises to accelerate the pace of patch releases. For end users, the key takeaway is to install updates promptly and restart browsers after any security update.

This article was updated to reflect the latest patch information. For ongoing coverage of cybersecurity threats, follow our cybersecurity hub.