Microsoft has released software updates to address a massive 167 security flaws in its Windows operating systems and related programs, including a zero-day vulnerability in SharePoint Server and a publicly known Windows Defender issue called „BlueHammer.“ Separately, Google Chrome has resolved its fourth zero-day vulnerability of 2026, while Adobe has issued an emergency update for Reader to patch an actively exploited flaw that enables remote code execution. Microsoft is warning that attackers are already exploiting CVE-2026-32201, a SharePoint Server vulnerability that lets threat actors spoof trusted content or interfaces across a network. Action2034621 president and co-founder Mike Walters noted that CVE-2026-32201 can be leveraged to trick employees, partners, or customers by displaying falsified information inside legitimate SharePoint environments. “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. The existence of active exploitation substantially heightens an organization’s risk level. Microsoft also fixed BlueHammer (CVE-2026-33825), a privilege-escalation vulnerability in Windows Defender. According to BleepingComputer, after reporting the vulnerability to Microsoft and becoming frustrated with their handling of it, the discovering researcher released proof-of-concept exploit code. Will Dormann, a senior principal vulnerability analyst at Tharros, confirmed that the publicly available BlueHammer exploit code stops working once today’s patches are installed. Satnam Narang, senior staff research engineer at Tenable, noted that April’s Patch Tuesday was Microsoft’s second-largest on record. Narang added that there are signs the zero-day vulnerability Adobe addressed via an emergency patch on April 11 — CVE-2026-34621 — has been actively exploited since at least November 2025. Adam Barnett, lead software engineer at Rapid7, described Microsoft’s patch release today as “a new record in that category,” noting that it covers almost 60 browser vulnerabilities. Barnett noted that it might be tempting to link this sudden surge to the excitement surrounding last week’s announcement of Project Glasswing — Anthropic’s much-hyped but unreleased new AI feature, which is said to be highly effective at discovering bugs across a broad spectrum of software. However, he points out that Microsoft Edge is built on the Chromium engine, whose maintainers regularly credit a wide array of researchers for the vulnerabilities that Microsoft republished on Friday. „A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,“ Barnett said.
Krebs on Security