Microsoft has released its April 2026 security updates, addressing 169 vulnerabilities across its ecosystem. This month marks the second-largest Patch Tuesday in the company’s history, trailing only the record set in October 2025. The release is headlined by the remediation of an actively exploited zero-day in SharePoint Server and a high-profile privilege escalation flaw in Microsoft Defender that was publicly disclosed earlier this month.

The SharePoint Zero-Day and CISA Intervention

The most critical concern for administrators this month is CVE-2026-32201, a spoofing vulnerability affecting Microsoft SharePoint Server. With a CVSS score of 6.5, the flaw stems from improper input validation. While Microsoft initially discovered the bug internally, it has since been detected in active wild exploits. The vulnerability allows an unauthorized attacker to perform spoofing over a network, potentially manipulating user interfaces or deceiving users into trusting malicious content.

Due to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by April 28, 2026, to mitigate the risk of unauthorized data modification and sensitive information disclosure.

Defusing the ‘BlueHammer’ Exploit in Microsoft Defender

Another major highlight of the April update is the fix for CVE-2026-33825 (CVSS score: 7.8), a privilege escalation vulnerability in Microsoft Defender. This flaw gained notoriety under the name “BlueHammer” after a security researcher using the alias “Chaotic Eclipse” published exploit code on GitHub on April 3, 2026. The public disclosure followed a reported breakdown in communication during the vulnerability disclosure process.

The BlueHammer exploit functions by chaining legitimate Windows features, specifically abusing the Volume Shadow Copy service during Defender update workflows. By pausing Defender at precise moments using Cloud Files callbacks, an attacker could access restricted registry hives—including SAM, SYSTEM, and SECURITY. This allowed low-privileged users to escalate their permissions to the NT AUTHORITY\SYSTEM level. Microsoft notes that since Defender updates itself automatically by default, most users will receive this fix without manual intervention.

Trends in the April 2026 Vulnerability Landscape

The volume of patches this month underscores a growing trend in software security, where Elevation of Privilege (EoP) bugs have become the dominant threat vector. Researchers noted that 2026 is currently on track to exceed 1,000 annual Patch Tuesday CVEs. The distribution of the 169 vulnerabilities addressed this month reveals a heavy concentration on privilege escalation:

• 93 Elevation of Privilege vulnerabilities (57% of the total)
• 21 Information Disclosure vulnerabilities
• 21 Remote Code Execution (RCE) vulnerabilities
• 14 Security Feature Bypass vulnerabilities
• 10 Spoofing vulnerabilities
• 9 Denial-of-Service vulnerabilities

Notably, RCE vulnerabilities have dropped to just 12% of the total monthly fixes, tied with information disclosure bugs. The update also incorporates four non-Microsoft CVEs impacting components like Node.js, AMD, and Windows Secure Boot.

Conclusion

With 169 new vulnerabilities and 78 additional fixes for the Edge browser, the April 2026 Patch Tuesday represents a significant maintenance burden for IT security teams. The combination of an actively exploited SharePoint zero-day and the public ‘BlueHammer’ exploit makes immediate testing and deployment of these patches a top priority for organizations looking to maintain a robust security posture.