Skip to content

Microsoft Patch Tuesday April 2026: 167 Security Vulnerabilities and Four Chrome Zero-Days

Bottom line: Microsoft Patch Tuesday April 2026 with 167 vulnerabilities, including the actively exploited SharePoint zero-day CVE-2026-32201, reflects likely volume increase in vulnerability discovery driven by advanced AI capabilities.

Microsoft patched 167 security vulnerabilities, including the actively exploited SharePoint flaw CVE-2026-32201 and the publicly disclosed Windows Defender vulnerability BlueHammer. At the same time, Google closed Chrome’s fourth zero-day vulnerability of 2026, and Adobe released an emergency update for Reader against an actively exploited remote code execution flaw.

Microsoft patched a total of 167 security vulnerabilities in Windows and related products on Patch Tuesday in April 2026. Two of them stand out particularly: CVE-2026-32201 is a SharePoint Server vulnerability that is already being exploited by attackers. It allows malicious actors to forge trusted content and interfaces on the network. BlueHammer (CVE-2026-33825) is a privilege escalation vulnerability in Windows Defender whose proof-of-concept code was published by the researching security expert after expressing dissatisfaction with Microsoft’s handling of the report.

CVE-2026-32201 enables phishing attacks, unauthorized data manipulation, and social engineering campaigns within legitimate SharePoint environments. This has significant implications for the risk profile of affected organizations, as active exploitation is already occurring in deployed systems. Will Dormann, Senior Principal Vulnerability Analyst at Tharros, confirmed that publicly available BlueHammer exploits no longer function after installing today’s patches.

Satnam Narang of Tenable ranks April Patch Tuesday as Microsoft’s second-largest. Adam Barnett, Lead Software Engineer at Rapid7, called the volume a new record in this category — it covers nearly 60 browser vulnerabilities. Adobe had already released an emergency update for Reader on April 11, 2026, to patch CVE-2026-34621. This vulnerability is being actively exploited, with early indicators suggesting exploitation since at least November 2025.

Whether the sudden increase is related to Anthropic’s recently announced Project Glasswing — an AI feature for automated defect detection across a broad range of software — remains open. Barnett points out that Microsoft Edge is based on the Chromium engine, whose developers regularly credit numerous researchers for vulnerabilities that Microsoft republished on Friday. As a safe conclusion: the volume increase is being driven by advanced AI capabilities.

Google Chrome has already closed four zero-day vulnerabilities in 2026, with the fourth this month.


Source: ainews-dev.lumi-systems.io · Published May 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.5.2.

Share on: