Patch Tuesday, April 2026 Edition

<p><strong>Microsoft</strong> today pushed software updates to fix a staggering 167 security vulnerabilities in its <strong>Windows</strong> operating systems and related software, including a <strong>SharePoint Server</strong> zero-day and a publicly disclosed weakness in <strong>Windows Defender</strong> dubbed &#8220;<strong>BlueHammer</strong>.&#8221; Separately, <strong>Google Chrome</strong> fixed its fourth zero-day of 2026, and an emergency update for <strong>Adobe Reader</strong> nixes an actively exploited flaw that can lead to remote code execution.</p> <p><img decoding="async" loading="lazy" class=" wp-image-56287 aligncenter" src="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png" alt="A picture of a windows laptop in its updating stage, saying do not turn off the computer. " width="749" height="527" srcset="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png 841w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-768x541.png 768w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-782x550.png 782w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-100x70.png 100w" sizes="(max-width: 749px) 100vw, 749px" /></p> <p>Redmond warns that attackers are already targeting <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-32201" target="_blank" rel="noopener">CVE-2026-32201</a>, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.</p> <p><strong>Mike Walters</strong>, president and co-founder of <strong>Action1</strong>, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.</p> <p>&#8220;This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,&#8221; Walters said. &#8220;The presence of active exploitation significantly increases organizational risk.&#8221;</p> <p>Microsoft also addressed BlueHammer (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-33825" target="_blank" rel="noopener">CVE-2026-33825</a>), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw <a href="https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/" target="_blank" rel="noopener">published exploit code for it</a> after notifying Microsoft and growing exasperated with their response. <strong>Will Dormann</strong>, senior principal vulnerability analyst at <strong>Tharros</strong>, says he <a href="https://infosec.exchange/@wdormann/116404516592597593" target="_blank" rel="noopener">confirmed</a> that the public BlueHammer exploit code no longer works after installing today&#8217;s patches.<span id="more-73440"></span></p> <p><strong>Satnam Narang</strong>, senior staff research engineer at <strong>Tenable</strong>, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 &#8212; <a href="https://helpx.adobe.com/security/products/acrobat/apsb26-43.html" target="_blank" rel="noopener">CVE-2026-34621</a> &#8212; has seen active exploitation since at least November 2025.</p> <p><strong>Adam Barnett</strong>, lead software engineer at <strong>Rapid7</strong>, called the patch total from Microsoft today &#8220;a new record in that category&#8221; because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of <a href="https://www.anthropic.com/glasswing" target="_blank" rel="noopener">Project Glasswing</a> &#8212; a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.</p> <p>But he notes that <strong>Microsoft Edge</strong> is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.</p> <p>&#8220;A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,&#8221; Barnett said. &#8220;We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.&#8221;</p> <p>Finally, no matter what browser you use to surf the web, it&#8217;s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it&#8217;s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-5281" target="_blank" rel="noopener">CVE-2026-5281</a>.</p> <p>For a clickable, per-patch breakdown, check out the <strong>SANS Internet Storm Center</strong> <a href="https://isc.sans.edu/forums/diary/Microsoft%20Patch%20Tuesday%20April%202026./32898/" target="_blank" rel="noopener">Patch Tuesday roundup</a>. Running into problems applying any of these updates? Leave a note about it in the comments below and there&#8217;s a decent chance someone here will pipe in with a solution.</p>