Microsoft's Record-Breaking Patch Tuesday: 167 Flaws Fixed, Including Actively Exploited SharePoint and Defender Vulnerabilities

Breaking: Microsoft Releases Massive April 2026 Security Update

Microsoft today issued an unprecedented security update addressing 167 vulnerabilities across Windows and related software, marking the second-largest Patch Tuesday in company history. Among the fixes are an actively exploited zero-day in SharePoint Server and a publicly disclosed privilege escalation flaw in Windows Defender dubbed 'BlueHammer.'

Microsoft's Record-Breaking Patch Tuesday: 167 Flaws Fixed, Including Actively Exploited SharePoint and Defender Vulnerabilities — Source: krebsonsecurity.com

Separately, Google Chrome patched its fourth zero-day of 2026, while Adobe released an emergency update for Reader to counter an actively exploited remote code execution vulnerability.

Critical SharePoint Zero-Day Under Active Attack

Microsoft warned that attackers are already targeting CVE-2026-32201, a SharePoint Server spoofing vulnerability that allows deception within trusted corporate environments. 'This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns,' said Mike Walters, president of Action1.

'The presence of active exploitation significantly increases organizational risk,' Walters added. Enterprises relying on SharePoint for collaboration face immediate exposure.

BlueHammer: Windows Defender Bug Made Public

Microsoft also closed CVE-2026-33825 (BlueHammer), a privilege escalation flaw in Windows Defender. According to BleepingComputer, the researcher who discovered it published exploit code after frustration with Microsoft's response. Will Dormann of Tharros confirmed the public exploit no longer works after patching.

'Install these updates urgently,' Dormann emphasized. The vulnerability could have allowed attackers to gain elevated system access if left unpatched.

Adobe and Chrome Emergency Fixes

Satnam Narang of Tenable noted that Adobe's emergency update on April 11 (CVE-2026-34621) has been exploited since at least November 2025. Google Chrome's latest zero-day fix rounds out a busy month for browser security.

Background

April's Patch Tuesday total includes nearly 60 browser vulnerabilities, a record for Microsoft. Adam Barnett of Rapid7 attributed the spike partly to the buzz around Anthropic's unreleased AI tool 'Project Glasswing,' though he noted that many bugs stem from Chromium's open-source ecosystem.

'A safe conclusion is that this increase is driven by ever-expanding AI capabilities,' Barnett said. 'We should expect further increases in vulnerability reporting as AI models grow.'

What This Means

Organizations must prioritize these patches due to active exploitation of the SharePoint zero-day and BlueHammer. The sheer volume of fixes—167 total—demands a systematic approach to deployment, starting with critically rated vulnerabilities.

Users should restart browsers after applying updates, as browser-level fixes are only effective after a full restart. Combined with Chrome and Adobe patches, this is a pivotal moment for IT security teams.

Tags: