April 2026 Patch Tuesday: 6 Critical Updates You Can't Ignore

Welcome to the April 2026 edition of Patch Tuesday—a month that security teams will remember for its record-breaking volume and alarming zero‑day activity. Microsoft unleashed a staggering 167 security fixes, covering everything from a SharePoint server flaw already under attack to a public exploit for a Windows Defender privilege‑escalation bug. Meanwhile, Google Chrome patched its fourth zero‑day of the year, and Adobe issued an emergency update for a Reader vulnerability that has been exploited since November 2025. With AI‑powered vulnerability discovery accelerating, the pace and complexity of patches are reaching new heights. Here are the six most critical updates you need to apply immediately.

1. Microsoft Drops a Whopping 167 Patches

April’s Patch Tuesday sets a new record for Microsoft, fixing 167 vulnerabilities across Windows, Office, Edge, and related software. According to Satnam Narang of Tenable, this is the second‑largest Patch Tuesday ever released by Redmond. The sheer volume underscores the increasing strain on enterprise patch management, especially with nearly 60 of those flaws residing in Microsoft Edge and the Chromium engine. Adam Barnett of Rapid7 notes that while the spike might be linked to the recent buzz around Anthropic’s unreleased Project Glasswing AI capability, a more direct cause is the expanding role of AI in discovering software bugs. Bottom line: prioritizing and deploying these patches quickly is essential to fend off potential attacks.

2. SharePoint Zero‑Day Under Active Attack

Among the most urgent fixes is CVE‑2026‑32201, a spoofing vulnerability in Microsoft SharePoint Server that attackers are already exploiting. Mike Walters of Action1 warns that this flaw allows adversaries to present falsified content within trusted SharePoint environments, enabling phishing, data manipulation, and social engineering. “The presence of active exploitation significantly increases organizational risk,” Walters emphasizes. If your organization relies on SharePoint for collaboration, applying this patch should be your top priority. Learn more about the broader patch batch above.

3. BlueHammer: Windows Defender Bug with Public Exploit Code

Microsoft also addressed CVE‑2026‑33825, dubbed BlueHammer, a privilege‑escalation vulnerability in Windows Defender. The researcher who discovered it grew frustrated with Microsoft’s response and published exploit code publicly. Will Dormann of Tharros confirmed that installing today’s patches neutralizes that exploit. While no widespread attacks have been reported yet, the public availability of working exploit code means unpatched systems are at high risk. Update Windows Defender and your OS immediately to close this door.

4. Google Chrome Patches Fourth Zero‑Day of 2026

Not to be outdone, Google released an update for Chrome that fixes its fourth zero‑day vulnerability this year. Although the specific CVE details are sparse, the update is critical because zero‑days are often used in targeted attacks. Chrome automatically updates, but users who rarely restart their browser may remain exposed. Make sure to completely exit and relaunch Chrome after the update to activate the fix. Combined with Microsoft’s browser‑related patches, this emphasizes the importance of keeping all browsers current.

5. Adobe Reader Emergency Update for Actively Exploited Flaw

Adobe released an out‑of‑band update on April 11 for CVE‑2026‑34621, a remote code execution vulnerability in Adobe Reader that “has seen active exploitation since at least November 2025,” according to Tenable’s Satnam Narang. Attackers can exploit this flaw by luring users to open a malicious PDF file. If you use Adobe Reader, verify that you are running the latest version (check Help > About). This is especially critical for organizations that handle sensitive documents, as a single compromised PDF can lead to full system compromise.

6. Record Browser Vulnerability Count Sparked by AI?

Why did Microsoft’s April update contain nearly 60 browser vulnerabilities? Adam Barnett of Rapid7 suggests that the sudden increase is no coincidence—it may be an early indicator of AI’s growing role in vulnerability discovery. One week before Patch Tuesday, Anthropic announced Project Glasswing, an AI system reportedly exceptional at finding bugs. While Barnett cautions that Microsoft Edge shares the Chromium codebase, and many vulnerabilities are reported by independent researchers, he expects AI to drive further increases in vulnerability reporting volume. Pro tip: Prepare your patch management processes for a future where updates become larger and more frequent. Review Microsoft’s record patch count above.

Conclusion: Patch Now, Restart Often

April 2026’s Patch Tuesday is a stark reminder that the threat landscape is evolving rapidly. With three separate vendors—Microsoft, Google, and Adobe—fixing actively exploited vulnerabilities, delaying updates is not an option. Equally important: browser patches only take effect after a full restart. Make it a habit to close and relaunch your browser after updates. As AI accelerates both vulnerability discovery and exploitation, staying patched is the strongest defense you have.