Microsoft Breaks Record with 167 Security Patches in April Update – Active Exploits Confirmed

Breaking: Microsoft Issues Record 167 Patches Amid Active Zero-Day Attacks

Microsoft released 167 security updates on April 14, 2026, the largest Patch Tuesday in its history, addressing vulnerabilities across Windows, Office, SharePoint, and Edge. The company confirmed active exploitation of at least two flaws: a SharePoint Server spoofing bug and a privilege escalation in Windows Defender dubbed “BlueHammer.”

Microsoft Breaks Record with 167 Security Patches in April Update – Active Exploits Confirmed — Source: krebsonsecurity.com

Separately, Google patched its fourth Chrome zero-day of 2026, and Adobe pushed an emergency fix for a Reader vulnerability that has been under attack since November 2025. Experts urge immediate updates.

SharePoint Zero-Day Under Active Attack

Microsoft warns that attackers are actively exploiting CVE-2026-32201, a SharePoint Server vulnerability that allows spoofing of trusted content or interfaces. The flaw can trick employees, partners, or customers into viewing falsified information within trusted SharePoint environments.

Mike Walters, president and co-founder of Action1, said: “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk.”

BlueHammer: Public Exploit Code Now Neutralized

The update also fixes BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code after becoming frustrated with Microsoft’s response. The exploit no longer works on patched systems.

Will Dormann, senior principal vulnerability analyst at Tharros, confirmed: “I verified that the public BlueHammer exploit code fails after installing today’s patches.”

Adobe and Chrome Emergency Fixes

On April 11, Adobe issued an emergency update for Reader to fix CVE-2026-34621, a remote code execution flaw that has been actively exploited since at least November 2025. Satnam Narang, senior staff research engineer at Tenable, noted “active exploitation since at least November 2025.”

Google also patched its fourth Chrome zero-day of the year. No further details were provided, but users are advised to restart their browsers.

Background

The April 2026 Patch Tuesday includes nearly 60 browser vulnerabilities, a sharp increase attributed to Microsoft Edge’s Chromium base. Adam Barnett, lead software engineer at Rapid7, called it “a new record in that category.” He noted that the spike might be linked to the recent announcement of Project Glasswing, an AI capability from Anthropic that excels at bug hunting. However, Barnett clarified that the volume increase is likely driven by “ever-expanding AI capabilities” and expects “further increases in vulnerability reporting volume as AI models extend further.”

What This Means

Record patch volumes signal a shifting threat landscape: attackers are weaponizing vulnerabilities faster, and defenders must accelerate deployment cycles. The inclusion of actively exploited flaws underscores urgency—delaying even a single patch can lead to compromise. For enterprises, the focus should be on prioritizing fixes for SharePoint and Windows Defender, plus ensuring Adobe Reader and Chrome are updated. The trend of AI-generated vulnerability discovery suggests organizations should brace for even larger patch loads in the coming months. Restarting browsers after updates is critical to fully apply fixes.

No matter what browser you use, completely closing and restarting it is essential to finalize patches.