Microsoft Patches 167 Flaws in April 2026 Patch Tuesday: SharePoint Zero-Day, BlueHammer Exploits Addressed

Microsoft Addresses 167 Security Flaws in April 2026 Patch Tuesday

Microsoft has released its April 2026 Patch Tuesday updates, addressing 167 security vulnerabilities across its Windows operating systems and related software. The fixes include critical patches for a SharePoint Server zero-day and a publicly disclosed privilege escalation flaw in Windows Defender, known as BlueHammer.

SharePoint Server Zero-Day (CVE-2026-32201) Actively Exploited

Redmond has warned that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that enables attackers to spoof trusted content or interfaces over a network. Mike Walters, president and co-founder of Action1, highlighted the risks:

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk.”

Walters emphasized that the flaw could deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

BlueHammer (CVE-2026-33825) Privilege Escalation Flaw Patched

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code after growing frustrated with Microsoft’s response time. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public BlueHammer exploit no longer works after installing the latest patches.

Adobe Reader Emergency Update Fixes Actively Exploited Flaw

Separately, Adobe released an emergency update for Adobe Reader to patch CVE-2026-34621, a flaw that can lead to remote code execution. Satnam Narang, senior staff research engineer at Tenable, noted that indications suggest this zero-day has been actively exploited since at least November 2025.

Record-Breaking Patch Volume Linked to AI Advancements

Adam Barnett, lead software engineer at Rapid7, described Microsoft’s patch total as a new record, with nearly 60 browser vulnerabilities included. He suggested that the surge in reported flaws may be tied to advancements in AI capabilities, particularly in bug detection:

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Barnett also noted that while speculation linked the spike to Anthropic’s unreleased Project Glasswing—an AI tool reportedly effective at finding bugs—the increase is more likely due to broader AI-driven research efforts.

Google Chrome and Browser Security Updates

Google Chrome also addressed its fourth zero-day of 2026 in a recent update. Earlier this month, Chrome fixed 21 security vulnerabilities, including the high-severity zero-day CVE-2026-5281. Users are advised to fully close and restart their browsers to ensure updates are applied.

Staying Protected: Key Recommendations

To ensure security updates are properly installed, follow these steps:

• Restart your browser completely—even if you have multiple tabs open. This is the only way to guarantee updates are applied.
• Review Microsoft’s Patch Tuesday roundup via the SANS Internet Storm Center for a detailed breakdown of each fix.
• Apply Adobe Reader updates immediately to address the actively exploited flaw.
• Monitor for further updates from Google Chrome and other affected software vendors.

For users experiencing issues applying updates, consult official support channels or IT administrators for assistance.