Microsoft Shatters Record with 167 Flaws in April Patch Tuesday, SharePoint Zero-Day Under Active Attack

Emergency Patches Address Exploited SharePoint Flaw, Publicly Disclosed Windows Defender Bug

Microsoft released an unprecedented 167 security updates today, including fixes for a SharePoint Server zero-day that is already being exploited in the wild. The company also patched a publicly disclosed privilege escalation vulnerability in Windows Defender, codenamed “BlueHammer,” and urged organizations to apply the updates immediately.

The most critical flaw, CVE-2026-32201, allows attackers to spoof trusted content or interfaces within Microsoft SharePoint Server. “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” said Mike Walters, president and co-founder of Action1. “The presence of active exploitation significantly increases organizational risk.”

BlueHammer: Privilege Escalation Bug Now Patched

Microsoft also addressed CVE-2026-33825, a Windows Defender elevation-of-privilege vulnerability made public by a frustrated researcher who released exploit code. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that after applying today’s patches, the public exploit no longer works.

“Attackers could have used BlueHammer to gain higher system privileges, but the fix neuters that attack vector,” Dormann noted.

Record-Breaking Patch Volume Driven by Browser Flaws and AI

Satnam Narang, senior staff research engineer at Tenable, called April’s release the second-largest Patch Tuesday ever for Microsoft. The total includes nearly 60 vulnerabilities in Microsoft Edge, which is built on the Chromium engine. Adam Barnett, lead software engineer at Rapid7, said the spike “might be tempting to imagine” is linked to Project Glasswing, a rumored AI bug-finding tool from Anthropic.

But Barnett cautioned that Chromium acknowledgments show a wide range of researchers were credited for these flaws. “A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases as AI models extend further, both in capability and availability.”

Browsers and Acrobat Also Get Critical Fixes

Separately, Google Chrome fixed its fourth zero-day of 2026, while Adobe released an emergency patch for Adobe Reader. Narang highlighted that CVE-2026-34621, a remote code execution flaw in Reader, has been actively exploited since at least November 2025. Users of all browsers and Adobe products should close and restart their applications after updating.

Background

Microsoft’s April 2026 Patch Tuesday marks a new record for the number of vulnerabilities addressed, surpassing previous highs. The update comes amid rising concerns over AI-assisted vulnerability discovery and exploit development. Project Glasswing, an unreleased AI tool from Anthropic, was announced a week ago but is not yet available.

The 167 patches cover Windows, Office, SharePoint, and Edge, with 25 rated Critical and the rest Important. Five of the flaws are publicly known, and at least one is actively exploited.

What This Means

Organizations must prioritize patching SharePoint Server and Windows Defender immediately to block active attacks. The record volume of browser vulnerabilities underscores the need for rapid updating of Microsoft Edge and Chromium-based browsers. As AI-driven bug hunting becomes more prevalent, security teams should prepare for an accelerating pace of vulnerability disclosures and patch releases.

“We’ve entered an era where the volume of flaws will only grow,” said Walters. “Automated patch management is no longer optional—it’s a survival imperative.”