Microsoft today it pushed software updates to fix a staggering 167 security vulnerabilities in it Windows operating systems and related software, including a SharePoint Server zero-day and publicly disclosed vulnerabilities in Windows Defender it is called “BlueHammer.” Separately, Google Chrome fixed its fourth zero date for 2026, and an urgent review of Adobe Reader nixes a highly exploited bug that can lead to remote code execution.
Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to compromise trusted content or communications between networks.
Mike Walterspresident and founder of Action 1says CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting false information within trusted SharePoint environments.
“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further backlash,” Walters said. “The presence of active exploitation greatly increases an organization’s risk.”
This error occurs alongside a SQL Server remote code execution exception (CVE-2026-33120), notes Ryan BraunsteinSecurity and IT manager at Automox.
“One bug allows an attacker to access your SQL instance from the network,” Braundstein said. “One allows the person already inside to elevate themselves to full control.”
Microsoft also addressed BlueHammer (CVE-2026-33825), an elevation of privilege flaw in Windows Defender. According to BleepingComputer, the researcher who discovered the bug published the exploit code after notifying Microsoft and growing frustrated with their response. Is Dormannsenior principal risk analyst at Tharrossays he has confirmed that the public BlueHammer exploit code no longer works after applying today’s patches.
Satnam Narangsenior staff research engineer e It is usablesaid April marks Microsoft’s second-biggest Patch. Narang also said there are indications that Adobe’s zero-day bug included in an emergency update on April 11 – CVE-2026-34621 – has seen an active exploit since at least November 2025.
Adam Barnettlead software engineer at Immediately7called Microsoft’s total patch count today “a new record for that category” because it covers nearly 60 browser vulnerabilities. Barnett said it might be tempting to think the sudden vacancy is related to last week’s announcement today of Project Glasswing — a touted but unreleased new AI capability from Anthropic that’s reportedly good at finding bugs in a wide range of software.
But he notes that Microsoft Edge is based on the Chromium engine, and Chromium maintainers acknowledged a wide range of researchers about the vulnerability that Microsoft republished last Friday.
“The safe conclusion is that this increase in volume is driven by the ever-increasing power of AI,” Barnett said. “We should expect to see a further increase in the volume of risk reporting as the impact of AI models expands, both in terms of power and availability.”
Finally, no matter what browser you use to browse the web, it is important to completely close and restart the browser from time to time. This is really easy to undo (especially if you have a bajillion tabs open at any one time) but it’s the only way to ensure that any available updates are installed. For example, the Google Chrome update released earlier this month fixed 21 security holes, including the top zero-day flaw CVE-2026-5281.
For clickable, per-patch breakdowns, check out SANS Internet Storm Center Patch Tuesday rotation. Experiencing problems using any of these updates? Leave a note about it in the comments below and there’s a good chance someone here will post a solution.
