Microsoft released its April 2026 Patch Tuesday security update, pushing fixes for a staggering 167 security vulnerabilities across Windows, Office, SharePoint, and related products. The update includes patches for an actively exploited SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed "BlueHammer." Separately, Google shipped Chrome's fourth zero-day patch of 2026.
By the Numbers
| Severity | Count |
|---|---|
| Critical | 29 |
| Important | 130 |
| Moderate | 8 |
| Total | 167 |
This makes April 2026 one of the largest Patch Tuesday releases on record, continuing a trend of elevated vulnerability volume that security researchers have tracked throughout 2026.
The Zero-Day: SharePoint Server Remote Code Execution
The most urgent patch this month addresses an actively exploited zero-day vulnerability in Microsoft SharePoint Server. The flaw allows a remote attacker to execute arbitrary code on the server without requiring elevated privileges in certain configurations — a classic pre-authentication or low-privilege RCE scenario.
SharePoint Server has been a frequent target for threat actors due to:
- Its widespread enterprise deployment, giving attackers broad target surface
- Its connectivity to Active Directory and internal file systems, making it a valuable pivot point
- Historical precedent — SharePoint vulnerabilities have been exploited by APT groups, ransomware operators, and criminal hackers alike
Microsoft's advisory noted that exploitation has been observed in the wild prior to the patch release, meaning organizations running unpatched SharePoint Server instances are actively at risk.
Priority action: Organizations running on-premises SharePoint Server should treat this patch as emergency priority and deploy it outside of normal patch cycles if possible.
BlueHammer: The Windows Defender Disclosure
The second notable vulnerability — BlueHammer — affects Windows Defender and was publicly disclosed before Microsoft released a patch. Unlike the SharePoint zero-day, there is no confirmed active exploitation of BlueHammer at the time of this update, but public disclosure significantly lowers the barrier for threat actors to develop and deploy an exploit.
BlueHammer appears to be a defense evasion or bypass vulnerability — attackers who can exploit it may be able to disable, bypass, or circumvent Windows Defender protections on a target system, creating an opening for malware execution or lateral movement without triggering endpoint detection.
The name "BlueHammer" suggests the vulnerability may have been named by the researcher who disclosed it, a common practice when vendors are slow to patch (though Microsoft included a fix in this cycle).
Chrome's Fourth Zero-Day of 2026
Coinciding with Patch Tuesday, Google released an emergency Chrome update patching the browser's fourth zero-day vulnerability of 2026. Chrome zero-days are consistently among the most impactful browser vulnerabilities because Chrome's market dominance — over 65% global browser share — gives attackers enormous reach.
Chrome's track record of frequent zero-day exploitation in 2026 reflects several factors:
- Continued investment by nation-state and criminal actors in browser-based exploit chains
- The value of browser exploitation for initial access in spear-phishing and watering hole campaigns
- Chrome's use of JavaScript V8 engine, a frequent target for memory corruption research
Users on all platforms (Windows, macOS, Linux) should ensure Chrome has updated to the latest stable version. Enterprise administrators should verify that Chrome is managed and updating correctly via group policy or MDM.
Other Notable Vulnerabilities
Beyond the headlining zero-days, April's patch batch includes several vulnerabilities warranting expedited attention:
Windows Kernel Privilege Escalation
Multiple CVEs address elevation of privilege (EoP) vulnerabilities in the Windows kernel. These are high-value targets for attackers who have already achieved initial access — a local EoP gives an attacker system-level privileges, enabling persistence, credential dumping, and lateral movement.
Microsoft Exchange Server
Exchange Server received patches addressing server-side request forgery (SSRF) and authentication-related weaknesses. Exchange remains a priority target; its role as a mail gateway and its integration with Active Directory make it a persistent focus for threat actors.
Windows Remote Desktop Services
RDS vulnerabilities allowing pre-authentication remote code execution were addressed. With remote work continuing to drive RDP exposure, organizations should ensure patching is current and RDP access is protected by VPN or Zero Trust Network Access (ZTNA) controls.
Azure and Authentication Libraries
Several CVEs address token forgery and authentication spoofing issues in Azure-adjacent components, continuing a pattern of authentication-layer vulnerabilities that have appeared in Microsoft updates throughout 2026.
Patch Prioritization Guidance
Given the volume and severity of this release, security teams should prioritize in roughly this order:
- SharePoint Server (zero-day, actively exploited) — Emergency priority; patch within 24 hours if internet-exposed
- Windows Defender / BlueHammer (publicly disclosed) — High priority; patch within 72 hours
- Chrome (fourth zero-day) — Push auto-update verification to all endpoints immediately
- Windows Kernel EoP — Important; patch within standard cycle (7 days for critical systems, 30 days for others)
- Exchange Server SSRF / auth — Important; prioritize internet-facing Exchange instances
- RDS and Azure — Standard patch cycle, elevated for externally accessible infrastructure
The Bigger Picture: 167 CVEs in a Single Month
April 2026's patch volume reflects a structural trend: vulnerability disclosure rates have risen sharply as AI-assisted security research, more researchers, and greater focus on code auditing accelerate discovery. NIST's NVD and CISA's KEV catalog have both grown substantially in 2026.
For security teams, this creates real operational pressure. Patch management at scale — particularly for organizations with large Windows footprints — requires automation, risk-based prioritization, and increasingly, AI-assisted triage. No security team can manually evaluate 167 CVEs and deploy patches in real time each month.
Key recommendations for managing Patch Tuesday at scale:
- Automate testing and deployment using WSUS, SCCM/Intune, or third-party patch management platforms
- Risk-score your environment — an internet-exposed SharePoint instance gets different urgency than an air-gapped workstation
- Subscribe to vendor advisories — Microsoft's Security Update Guide and CISA's KEV provide machine-readable data for automation
- Establish emergency patch procedures — zero-days require out-of-band response, not waiting for the next monthly window