Microsoft’s April 2026 Patch Tuesday closes 167 security vulnerabilities across Windows and related software, including a SharePoint Server zero-day (CVE-2026-32201) and a Windows Defender privilege-escalation flaw nicknamed BlueHammer (CVE-2026-33825) 1.
Redmond says attackers are already exploiting CVE-2026-32201, which can be used to spoof trusted content or interfaces over a network. Mike Walters, president and co-founder of Action1, warned the bug could enable phishing, unauthorised data manipulation or social-engineering campaigns inside SharePoint environments 1.
BlueHammer was made public after the researcher who found it published exploit code in frustration with Microsoft’s response. Will Dormann, senior principal vulnerability analyst at Tharros, said the public exploit no longer works after applying today’s patches 1.
Satnam Narang, senior staff research engineer at Tenable, called April the second-biggest Patch Tuesday on record for Microsoft. Adam Barnett, lead software engineer at Rapid7, said the release includes nearly 60 browser-related vulnerabilities — a new record for that category — and flagged the volume as notable 1.
Barnett and others pointed to rapid advances in AI-driven bug discovery as a likely driver of the surge in vulnerability disclosures; Microsoft’s Edge uses the Chromium engine, and many of the browser flaws were reported via Chromium’s maintainers 1.
Separately, Google Chrome patched its fourth zero-day of 2026, and Adobe issued an emergency update for Reader to fix CVE-2026-34621, a flaw Tenable says has seen active exploitation since at least November 2025 1.
Practical takeaway for Indian IT teams and administrators: install Microsoft’s patches immediately and follow the restart guidance to neutralise publicly available exploits — a step emphasised in today’s advisory and by researchers 1.
ops.llm_calls. Every fact traces to a citation. If a fact looks wrong, write to corrections.