Patch Tuesday April 2026: 167 fixes, a SharePoint zero-day, and a Defender bug nicknamed BlueHammer

Microsoft shipped 167 security fixes this Patch Tuesday, the second-largest single release on record. Tenable’s Satnam Narang flagged it; Rapid7’s Adam Barnett noted the volume reflects roughly sixty browser vulnerabilities discovered partly by AI fuzzing pipelines that Microsoft and others have been quietly leaning on harder this year. Three pieces of this release are worth more than the headline number.

CVE-2026-32201 is a SharePoint Server zero-day already being exploited in the wild. The advisory describes it as a spoofing flaw, which is the polite term for “an attacker can cause SharePoint to render attacker-supplied content as if it had come from your own tenant.” That’s a phishing primitive sitting inside the trust boundary every employee already grants their company’s own SharePoint. Awareness training does not save you from a phishing page that is genuinely served from yourcompany.sharepoint.com. The lesson, restated: SharePoint farms remain network entry points and need network-layer segmentation, not just patches and an EDR policy.

CVE-2026-33825 is a Windows Defender privilege-escalation flaw, nicknamed BlueHammer in the reporting. The detail worth noting is that the original researcher published working exploit code, openly, in frustration with Microsoft’s response timeline. That’s becoming a recurring pattern — the public-exploit-as-leverage move — and it changes how defenders should think about the post-disclosure window. Plan for the 24 to 72 hours after a Patch Tuesday to get noticeably worse, because the gap between fix availability and weaponised proof-of-concept is closing on its own.

The third item is non-Microsoft but parked in the same release window. Adobe pushed an emergency Acrobat / Reader fix (CVE-2026-34621) for a flaw that has been exploited since at least November 2025; Google patched its fourth Chrome zero-day of the year. None of this is on Microsoft’s bulletin, but it’s all on your laptop fleet, and the patching window for any of them is the same.

The honest read. The volume number on this Patch Tuesday is the headline; the SharePoint zero-day is the operational priority; BlueHammer’s leaked exploit is the cultural signal. Treat all three as separate problems, in that order.