April 2026 Patch Tuesday: 167 Microsoft Fixes, SharePoint Zero-Day, BlueHammer Exploit

Microsoft shipped its second-largest Patch Tuesday ever, addressing 167 vulnerabilities across Windows and related products. The headline flaw is CVE-2026-32201, an actively exploited SharePoint Server spoofing bug that lets attackers plant falsified content inside trusted environments — a high-value pivot for phishing and social engineering. Also patched is BlueHammer (CVE-2026-33825), a Windows Defender privilege escalation flaw whose discoverer dropped public exploit code after growing frustrated with Microsoft’s response; today’s update neutralizes the released PoC.

The record volume is driven largely by nearly 60 browser vulnerabilities, most republished from upstream Chromium fixes that feed Microsoft Edge. Rapid7’s Adam Barnett attributes the spike not to the hype around Anthropic’s unreleased Project Glasswing bug-finding AI but to the broader expansion of AI-assisted vulnerability research across the ecosystem — a trend expected to keep inflating disclosure counts.

Outside Redmond, Google Chrome patched its fourth zero-day of 2026, and Adobe issued an emergency fix for CVE-2026-34621 in Reader, a remote code execution flaw reportedly exploited in the wild since November 2025. The reminder for users: browsers only install pending updates on full restart, so periodic tab-cleanup discipline has a direct security payoff.