April 2026 Patch Tuesday: Microsoft, Adobe, Google Fix Actively Exploited Zero-Days
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including a SharePoint Server zero-day under active attack and a publicly disclosed Windows Defender privilege-escalation bug, while Adobe and Google also release emergency patches for exploited flaws.
Microsoft today released its April 2026 Patch Tuesday updates, fixing a staggering 167 security vulnerabilities across Windows and related software. The update includes patches for a SharePoint Server zero-day already under active exploitation, a publicly disclosed Windows Defender privilege-escalation flaw dubbed "BlueHammer," and nearly 60 browser vulnerabilities. Separately, Adobe issued an emergency patch for an actively exploited Reader remote code execution flaw, and Google Chrome fixed its fourth zero-day of 2026.
Redmond warns that attackers are actively targeting CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server that allows attackers to present falsified content or interfaces within trusted SharePoint environments. Mike Walters, president and co-founder of Action1, said the flaw can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk, Walters noted.
Microsoft also addressed CVE-2026-33825, known as BlueHammer, a privilege escalation vulnerability in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code after growing frustrated with Microsoft's response. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public exploit code no longer works after installing today's patches, indicating the fix is effective.
Satnam Narang, senior staff research engineer at Tenable, noted that April marks the second-biggest Patch Tuesday ever for Microsoft. He also highlighted that Adobe's emergency update on April 11 for CVE-2026-34621, a Reader remote code execution flaw, has seen active exploitation since at least November 2025. The Adobe patch addresses a critical vulnerability that could allow attackers to take control of affected systems.
Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft "a new record" due to the inclusion of nearly 60 browser vulnerabilities. He noted that while some might attribute the spike to the recent announcement of Project Glasswing, an AI-powered vulnerability discovery tool from Anthropic, the increase is more likely driven by the expanding capabilities of AI in vulnerability research. "We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further," Barnett said.
Google Chrome also released an update earlier this month fixing 21 security holes, including the high-severity zero-day CVE-2026-5281. Users are advised to completely close and restart their browsers to ensure updates are applied, as this is the only way to guarantee that available patches are installed.
Organizations should prioritize patching CVE-2026-32201, CVE-2026-33825, and CVE-2026-34621 due to active exploitation. The sheer volume of fixes this month underscores the growing challenge of vulnerability management, especially as AI-powered tools accelerate the discovery of flaws. For a detailed breakdown of all patches, the SANS Internet Storm Center provides a clickable Patch Tuesday roundup.