Microsoft Breaks Patch Record with 167 Security Fixes, Including Actively Exploited SharePoint Zero-Day and Windows Defender Flaw

Breaking: Microsoft Issues Record-Breaking April Patch Tuesday

Microsoft today released software updates addressing a staggering 167 security vulnerabilities in Windows and associated products — the highest number ever in a single Patch Tuesday. Among them: a zero-day in SharePoint Server already under active attack and a publicly exposed weakness in Windows Defender dubbed 'BlueHammer'.

Separately, Google Chrome fixed its fourth zero-day of 2026, and Adobe issued an emergency update for Reader to patch a flaw that has been actively exploited for remote code execution since at least November 2025.

Critically Exploited SharePoint Vulnerability

Microsoft warns that attackers are already targeting CVE-2026-32201, a SharePoint Server vulnerability that lets adversaries spoof trusted content or interfaces over a network. Mike Walters, president and co-founder of Action1, explained the danger: 'This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk.'

BlueHammer: Windows Defender Privilege Escalation

Microsoft also patched CVE-2026-33825, a privilege escalation flaw in Windows Defender—referred to as BlueHammer. According to BleepingComputer, the researcher who discovered the bug published exploit code after becoming frustrated with Microsoft’s response time. Will Dormann, senior principal vulnerability analyst at Tharros, confirmed that the public exploit code no longer works following the patch.

Patch Tuesday Records and the AI Connection

Satnam Narang, senior staff research engineer at Tenable, noted that April 2026 marks the second-largest Patch Tuesday ever for Microsoft, with nearly 60 browser vulnerabilities included. Adam Barnett, lead software engineer at Rapid7, called the total 'a new record in that category'.

Barnett speculated that the surge might be linked to Project Glasswing—a rumored AI capability from Anthropic announced a week ago that is reportedly adept at finding software bugs. However, he cautioned that the increase is more likely due to the growing use of AI in vulnerability discovery. 'A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.'

Background

Patch Tuesday is Microsoft's monthly cycle of security updates, typically addressing dozens of flaws. The previous record was set in October 2025 with 142 fixes. This month's total—167 vulnerabilities—shatters that mark, driven partly by an influx of browser-related weaknesses reported to the Chromium project (which underpins Microsoft Edge).

Additionally, an emergency Adobe Reader update released on April 11 (CVE-2026-34621) has seen active exploitation since at least November 2025, according to Tenable’s Narang. Users of any browser should ensure they restart the browser completely after applying updates.

What This Means

For organizations, the urgency to deploy these patches is extreme—especially the SharePoint zero-day and the BlueHammer fix. The public availability of exploit code for BlueHammer means attackers can easily weaponize the flaw if systems remain unpatched. Users should prioritize updating Windows, Microsoft Office, SharePoint, and Edge immediately.

For the broader security landscape, the record number of patches signals that AI-driven vulnerability discovery is accelerating. As Barnett noted, this trend is unlikely to reverse, meaning future Patch Tuesdays may regularly exceed 150 fixes. Individuals and enterprises alike must adopt faster patch management cycles and robust vulnerability monitoring to keep pace.