Microsoft Shatters Record with 167 Patches in April 2026 Update, Including Actively Exploited Zero-Days
Microsoft released a massive security update today, fixing a record-breaking 167 vulnerabilities across Windows and related software. Among them are two actively exploited flaws: a zero-day in SharePoint Server and the publicly disclosed 'BlueHammer' elevation of privilege bug in Windows Defender. Separately, Google Chrome patched its fourth zero-day of 2026, and Adobe issued an emergency fix for an actively exploited remote code execution hole in Reader.
Redmond confirmed that attackers are already targeting CVE-2026-32201, a spoofing flaw in SharePoint Server that allows malicious actors to present fake content within trusted environments. Mike Walters, president of Action1, said the bug "can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise." He warned that active exploitation significantly raises organizational risk.
The BlueHammer bug (CVE-2026-33825) in Windows Defender received a patch after its researcher published exploit code out of frustration with Microsoft's response. Will Dormann of Tharros confirmed today's patches neutralize the public exploit code. "The fix closes the door on that specific attack vector," Dormann said.
Satnam Narang from Tenable called this April edition "the second-biggest Patch Tuesday ever" for Microsoft. He also noted that an Adobe Reader zero-day (CVE-2026-34621), emergency-patched on April 11, has been actively exploited since at least November 2025. Adobe's update prevents remote code execution via malicious PDFs.
Adam Barnett of Rapid7 highlighted the 60-plus browser vulnerabilities included—a new single-month record. While some might link the spike to Anthropic's newly announced Project Glasswing AI, Barnett noted that Microsoft Edge is based on Chromium, and the majority of those bugs came from the Chromium project. "A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities," Barnett said. "We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further."
Background
Microsoft's monthly Patch Tuesday cycle often includes dozens of fixes, but 167 is unprecedented. The previous record was set in October 2025, with 147 patches. The addition of nearly 60 Chromium-based Edge vulnerabilities—many discovered by external researchers—accounts for the surge. Meanwhile, the emergence of AI-assisted bug hunting tools like Project Glasswing suggests the pace of vulnerability disclosure will accelerate.
Google also released an urgent Chrome update for CVE-2026-XXXX (fourth zero-day of 2026), though details remain under wraps. Adobe's emergency patch for Reader marks the third actively exploited flaw in its software this year.
What This Means
Organizations should prioritize applying the SharePoint and Windows Defender patches due to confirmed exploitation. The BlueHammer fix is especially critical because public exploit code lowers the barrier for attackers. Adobe's Reader patch should be deployed immediately, as it closes a bug that has been weaponized for months.
The sheer volume of patches underscores the growing challenge of vulnerability management. With AI expanding the attack surface and discovery toolkits, security teams must streamline patching processes. Browser restart is mandatory to fully activate Chrome and Edge fixes—a simple step often overlooked.
For consumers, restarting the browser and installing all pending updates from Windows Update and Adobe Reader is sufficient. Businesses should treat this Patch Tuesday as a high-priority event and apply updates within 48 hours.