April 2026 Patch Tuesday: 10 Critical Security Updates You Must Know About
Welcome to another Patch Tuesday, April 2026 edition. This month, Microsoft dropped a record-breaking 167 security fixes across Windows and its ecosystem, including an actively exploited SharePoint Server zero-day and a controversial privilege escalation bug called BlueHammer that had exploit code published publicly before patches arrived. Meanwhile, Google Chrome patched its fourth zero-day of the year, and Adobe issued an emergency update for Reader to plug a flaw that attackers have been exploiting since last November. Below, we break down the ten most important things you need to know from this month's security patch bonanza.
1. A Historic Patch Load: 167 Vulnerabilities Fixed
Microsoft's April 2026 Patch Tuesday is the second-largest in the company's history, according to Tenable senior staff research engineer Satnam Narang. The tally includes nearly 60 browser-related vulnerabilities (more on that later), plus fixes for Windows, Office, SharePoint, and Windows Defender. The sheer volume—167 CVEs—shatters previous records and underscores the increasing complexity of securing modern software. While not all flaws are equally critical, the number alone demands attention. Security teams should prioritize patching systems this week, especially those exposed to the internet or handling sensitive data.
2. SharePoint Server Zero-Day Under Active Attack
Tracked as CVE-2026-32201, this SharePoint Server vulnerability allows attackers to spoof trusted content or interfaces over a network. Microsoft warns that exploitation is already happening in the wild. Mike Walters, president of Action1, explains that it enables phishing attacks, unauthorized data manipulation, and social engineering campaigns that can lead to further compromise. For organizations relying on SharePoint for internal collaboration, this patch is critical. CVE-2026-32201 is one of several zero-days Microsoft addressed this month, and because proof-of-concept code can now be reverse-engineered from the patch, attackers will soon have easier access to weaponized exploits if you don't update immediately.
3. BlueHammer: Windows Defender Privilege Escalation Flaw Goes Public
Dubbed BlueHammer (CVE-2026-33825), this Windows Defender bug allows an attacker to gain elevated privileges on a machine. The researcher who discovered the vulnerability grew frustrated with Microsoft's response and published exploit code—a rare and risky move. According to Will Dormann of Tharros, the public exploit no longer works after installing today's patches, but the incident raises questions about disclosure timelines. BlueHammer is a reminder that even security products can have serious flaws. If you're using Windows Defender, ensure you apply this update to prevent local privilege escalation attacks on your systems.
4. Google Chrome Fixes Its 4th Zero-Day of 2026
Google's latest Chrome update addresses a zero-day vulnerability that was being actively exploited. This marks the fourth such Chrome zero-day patched in 2026 so far, signaling that attackers are increasingly targeting the wildly popular browser. While details are limited to prevent further exploitation, the advisory suggests the bug affects the V8 JavaScript engine. Chrome users should restart their browser to install the update automatically. As always, keep your browser current to stay protected—zero-days in browsing software are a top vector for initial compromise.
5. Emergency Adobe Reader Patch Closes Actively Exploited Flaw
Issued on April 11 as an emergency out-of-band update, Adobe Reader's CVE-2026-34621 is a critical remote code execution vulnerability. Satnam Narang says there are indications that this flaw has been actively exploited since at least November 2025—meaning attackers have had a head start. Given that Reader is ubiquitous in enterprise document workflows, the risk is substantial. Criminals often embed malicious PDFs in phishing emails. If you’re on an older version, update now to CVE-2026-34621 is patched. Adobe recommends restarting the software after installation.
6. A Spike in Browser Vulnerabilities: Nearly 60 Bug Fixes
Adam Barnett of Rapid7 notes that Microsoft's April patch count includes an extraordinary ~60 browser vulnerabilities, most affecting Microsoft Edge (built on Chromium). He suggests the sudden surge might be linked to the buzz around Project Glasswing, an unreleased AI tool from Anthropic that reportedly excels at finding software bugs. However, Barnett’s safe conclusion is that AI capabilities are expanding rapidly, enabling both defenders and attackers to discover more vulnerabilities. “We should expect to see further increases in vulnerability reporting volume as AI models extend further,” he said. This trend means patch management will only become more critical.
7. Project Glasswing: AI’s Role in Vulnerability Discovery
While not a patch itself, the announcement of Project Glasswing a week ago has security experts speculating about its impact. Anthropic’s new AI is hyped for its bug-finding prowess. The timing of the jump in browser vulnerabilities—many reported by researchers acknowledged in Chromium’s credits—suggests AI-assisted discovery may already be inflating numbers. If so, expect future Patch Tuesdays to be even heftier. This is a double-edged sword: more bugs found means more patches, but also more opportunities for attackers if fixes lag behind.
8. Expert Insights: Why This Month Matters
Security professionals emphasize the urgency. Mike Walters (Action1) warns that the SharePoint zero-day can be used to “present falsified information within trusted SharePoint environments,” jeopardizing corporate communications. Will Dormann (Tharros) confirmed that BlueHammer exploit code is now neutralized—but only if you patch. Satnam Narang (Tenable) highlights the Adobe Reader exploitation dating back months. Adam Barnett (Rapid7) calls the total “a new record” and ties it to AI trends. Collectively, their message: don’t delay patching. These aren't theoretical risks—they’re being actively weaponized.
9. BlueHammer: A Case Study in Disclosure Disagreements
The BlueHammer vulnerability (CVE-2026-33825) is noteworthy not just for its impact but for how it was handled. The researcher published exploit code after a negative experience with Microsoft’s response, according to BleepingComputer. While patches are now available, such public disclosures force organizations into emergency patching cycles. It also highlights the tension between researcher patience and vendor timelines. For IT admins, the lesson is to monitor third-party disclosure platforms, because sometimes the patch doesn’t arrive before exploit code surfaces.
10. Don’t Forget to Restart Your Browser
It sounds basic, but many security updates—especially for Chrome, Edge, and Firefox—only take effect after a full browser restart. If you’re still using an older browser session, you may be vulnerable even after the patch is downloaded. Make it a habit: after any Patch Tuesday, close all browser windows and reopen them. Similarly, for Adobe Reader, a restart is required to load the patched version. This simple step ensures that the patches you’ve installed are actually protecting you. Stay safe out there!
Conclusion: April 2026’s Patch Tuesday is a wake-up call. With 167 fixes, a SharePoint zero-day under active attack, a public exploit for Windows Defender, and ongoing threats to Chrome and Adobe Reader, the risk landscape is dense. The increasing role of AI in vulnerability discovery promises to keep the pressure on security teams. But the fundamentals remain: apply patches promptly, restart affected software, and stay informed. For a deeper dive into the SharePoint zero-day, review Item #2; for details on BlueHammer, see Item #3. As always, vigilance is your best defense.