April 2026 Patch Tuesday: Microsoft, Google, and Adobe Address Critical Flaws

Introduction: A Busy Month for Security Updates

On the second Tuesday of April 2026, Microsoft shipped a massive wave of patches targeting 167 security vulnerabilities across Windows and related products. Among the most urgent fixes are a zero-day in SharePoint Server already under active exploitation and a publicly disclosed privilege escalation flaw in Windows Defender nicknamed "BlueHammer." Meanwhile, Google Chrome patched its fourth zero-day of the year, and Adobe issued an emergency update for Reader to close an actively exploited remote code execution hole.

April 2026 Patch Tuesday: Microsoft, Google, and Adobe Address Critical Flaws — Source: krebsonsecurity.com

Microsoft’s Record Patch Count

April’s update set a new milestone in sheer volume. According to Adam Barnett, lead software engineer at Rapid7, this Patch Tuesday includes nearly 60 browser-related vulnerabilities, making it the second-largest Patch Tuesday ever for Microsoft. Barnett speculates that the surge might be linked to the recent fanfare around Anthropic’s Project Glasswing—a new AI capability touted for its bug-finding prowess. However, he notes that Microsoft Edge is built on the Chromium engine, and many of the reported flaws were acknowledged by Chromium maintainers in a batch republished by Microsoft just days before.

"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities," Barnett said. "We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."

SharePoint Server Zero-Day (CVE-2026-32201)

Microsoft warns that attackers are already exploiting CVE-2026-32201, a spoofing vulnerability in SharePoint Server that allows malicious actors to present fake content or interfaces within trusted environments. Mike Walters, president and co-founder of Action1, explains that this flaw can be weaponized to deceive employees, partners, or customers. "This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise," Walters said. "The presence of active exploitation significantly increases organizational risk." Organizations using SharePoint Server should prioritize this update.

Windows Defender 'BlueHammer' (CVE-2026-33825)

Microsoft also fixed CVE-2026-33825, a privilege escalation vulnerability in Windows Defender that had been publicly shared with exploit code. According to BleepingComputer, the researcher who discovered the flaw grew frustrated with Microsoft’s response and published full details. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that after installing April’s patches, the public exploit code no longer works, underscoring the critical nature of this update.

Google Chrome and Adobe Reader Updates

Google Chrome's Fourth Zero-Day of 2026

Chrome users received a stable channel update fixing an undisclosed zero-day vulnerability. This marks the fourth such actively exploited bug Google has addressed this year. As always, the company advises restarting the browser to apply the patch.

Adobe Reader Emergency Fix (CVE-2026-34621)

On April 11, Adobe released an emergency patch for Reader, addressing CVE-2026-34621, a flaw that can lead to remote code execution. Satnam Narang, senior staff research engineer at Tenable, highlighted that this vulnerability has been exploited in the wild since at least November 2025. Users who have not yet updated should do so immediately.

Final Recommendations

Regardless of which browser you use, it is essential to fully close and restart it after updating. The same applies to Windows and Office applications. With active exploitation confirmed for the SharePoint zero-day, BlueHammer, and the Adobe Reader flaw, the need to install these patches without delay cannot be overstated. As AI continues to reshape vulnerability discovery, experts anticipate even larger patch volumes in the months ahead. Stay vigilant and keep your systems current.

Tags: