A Record-Breaking April for Microsoft Patches
Microsoft released security updates this Patch Tuesday fixing a staggering 167 vulnerabilities across Windows operating systems and related software. The April 2026 update cycle stands out not only for its sheer volume — which Satnam Narang, senior staff research engineer at Tenable, described as the second-biggest Patch Tuesday ever for Microsoft — but also for the severity and active exploitation of several included flaws.
Adam Barnett, lead software engineer at Rapid7, went further, calling the patch total "a new record in that category" due to the inclusion of nearly 60 browser-related vulnerabilities alone. Alongside Microsoft's release, Google Chrome patched its fourth zero-day of 2026, and Adobe issued an emergency update for Reader to address an actively exploited remote code execution flaw.
SharePoint Server Zero-Day Under Active Attack
Microsoft is warning that threat actors are already exploiting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that enables attackers to spoof trusted content or interfaces over a network.
Mike Walters, president and co-founder of Action1, explained the real-world danger of this flaw:
"This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk."
Walters noted that CVE-2026-32201 could be weaponized to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments — a particularly insidious attack vector given how widely the platform is used for internal collaboration and document management.
SQL Server RCE Compounds the Threat
The SharePoint vulnerability arrives alongside a separate SQL Server remote code execution flaw, CVE-2026-33120, highlighted by Ryan Braunstein, manager of Security and IT at Automox. Together, the two bugs form a dangerous combination.
Braunstein broke down the threat plainly: "One bug allows an attacker to get into your SQL instance from the network. The other lets someone already inside promote themselves to full control." In other words, CVE-2026-33120 provides initial access while a second vulnerability could then be leveraged for privilege escalation — a textbook attack chain that security teams need to prioritize closing immediately.
BlueHammer: A Windows Defender Privilege Escalation Bug Gone Public
Also addressed in this month's updates is CVE-2026-33825, a privilege escalation vulnerability in Windows Defender that has been nicknamed BlueHammer. Unlike many patches that quietly fix unknown issues, BlueHammer carried extra risk because a security researcher — frustrated with Microsoft's response after responsibly disclosing the flaw — publicly released working exploit code for it.
Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that after installing April's patches, the publicly available BlueHammer exploit code no longer functions. While that is reassuring, the window of exposure between the public release of the exploit and today's patch represents a period of elevated organizational risk for anyone running unpatched Windows Defender installations.
Adobe Reader Emergency Patch: Exploitation Dating Back to November 2025
On April 11 — ahead of Patch Tuesday — Adobe released an emergency update for Adobe Reader targeting CVE-2026-34621, a flaw that can lead to remote code execution. Satnam Narang at Tenable said there are indications that this vulnerability has seen active exploitation since at least November 2025, meaning attackers had a significant head start before the fix became available.
Users of Adobe Reader should ensure they have applied the out-of-band emergency update immediately if they have not already done so.
Chrome's Fourth Zero-Day of 2026
Google Chrome independently fixed its fourth zero-day vulnerability of 2026 this cycle. An earlier Chrome update released this month patched 21 security holes, including the high-severity zero-day CVE-2026-5281. Chrome users who have not restarted their browser recently may not have received these fixes even if the update was downloaded in the background.
This is a critical reminder that simply downloading browser updates is not sufficient — users must fully close and restart their browsers to ensure patches are actually applied. This is especially important for those who habitually leave dozens of tabs open for extended periods.
AI's Growing Role in Vulnerability Discovery
The dramatic spike in browser vulnerabilities this month prompted speculation about whether it was connected to the high-profile announcement, made approximately one week before Patch Tuesday, of Project Glasswing — a widely discussed but still-unreleased AI capability from Anthropic that is reportedly highly effective at identifying bugs across a broad range of software.
Adam Barnett at Rapid7 offered a more measured explanation, noting that Microsoft Edge is built on the Chromium engine, and that the Chromium maintainers credited a wide range of researchers for the vulnerabilities Microsoft republished last Friday. Barnett attributed the volume increase to the broader and ongoing expansion of AI-assisted vulnerability research:
"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."
Key Patches to Prioritize
- CVE-2026-32201 — Microsoft SharePoint Server spoofing vulnerability (actively exploited)
- CVE-2026-33120 — SQL Server remote code execution vulnerability
- CVE-2026-33825 (BlueHammer) — Windows Defender privilege escalation, public exploit code available
- CVE-2026-34621 — Adobe Reader remote code execution (actively exploited since at least November 2025)
- CVE-2026-5281 — Google Chrome high-severity zero-day
Staying Protected
Security teams should treat this month's updates as high priority across the board, given the combination of active exploitation, publicly released exploit code, and an unusually large patch volume. For a full per-patch breakdown organized by product and severity, the SANS Internet Storm Center Patch Tuesday roundup offers a clickable reference guide.
And regardless of which browser you use, make it a habit to fully close and relaunch it on a regular basis. It remains the only reliable way to guarantee that downloaded browser security updates are actually installed and running.
Source: Krebs on Security