Microsoft Patch Tuesday April 2026: 167 Fixes, Zero‑Day Threats and AI‑Driven Surge

Microsoft Patch Tuesday April 2026 Highlights

Microsoft Patch Tuesday delivered a historic wave of updates on Tuesday, April 29, 2026, addressing ↑ 167 security flaws across Windows, SharePoint and ancillary tools. SharePoint Server faced a zero‑day (CVE‑2026‑32201) that lets threat actors spoof trusted content over a network.

Mike Walters, president of Action1, warned that the flaw could enable phishing, data manipulation and broader compromise.

Google Chrome patched its fourth zero‑day of the year, while Adobe rushed an emergency fix for CVE‑2026‑34621, a remote‑code execution bug active since November 2025.

BlueHammer (CVE‑2026‑33825) – a privilege escalation issue in Windows Defender – was publicly exploited after a researcher released exploit code. Tharros analyst Will Dormann confirmed the code fails on today’s patches.

AI‑driven surge in vulnerability reporting

Rapid7’s Adam Barnett noted the patch bundle includes ↑ 60 browser‑related flaws, a record volume he attributes to advancing AI tools that can scan code at scale. “The trend will keep rising as AI models become more capable,” he said.

Experts urge users to fully close and restart browsers to apply fixes. The latest Chrome update remedied 21 issues, including the high‑severity zero‑day CVE‑2026‑5281.

For a detailed per‑patch list, see the SANS Internet Storm Center roundup. Further analysis can be found at Reuters and Bloomberg.