Vulnerabilities April 19, 2026 · 4 min read · By Forum Desk

Microsoft's April Patch Drop: 169 Fixes, a SharePoint Zero-Day, and Windows Defender's 'BlueHammer'

April 2026 is the second-largest Patch Tuesday on record. One of the 169 CVEs is already under active exploitation in Microsoft SharePoint Server, and a publicly-disclosed Defender bug nicknamed BlueHammer rounds out an unusually dense release.

  • #patch-tuesday
  • #microsoft
  • #sharepoint
  • #vulnerabilities
Close-up of a network patch panel with numbered ports and blue patch cables, evoking the monthly patch cycle

Microsoft shipped 169 security fixes on this month’s Patch Tuesday — the second-biggest monthly drop in the program’s history — and at least one of them was already being exploited when the patch landed. The outlier is CVE-2026-32201, a spoofing flaw in SharePoint Server that CISA had already added to its Known Exploited Vulnerabilities catalog by the time practitioners woke up to the advisory on April 15. Federal agencies have until April 28 to patch or pull the product; everyone else should assume the same clock.

What’s actually on fire

The SharePoint bug (CVSS 6.5) lets an attacker spoof trusted UI or content over the network, which in practice chains well with phishing lures already staged against collaboration tenants. Separately, Krebs notes a publicly-disclosed Windows Defender privilege-escalation tracked as CVE-2026-33825 and nicknamed BlueHammer by the researchers who reported it — no evidence of in-the-wild exploitation yet, but the proof-of-concept is out there. The bigger rock in this month’s pile is CVE-2026-33824, a remote code execution in the Windows IKE Service with a CVSS of 9.8. No public exploit, but the severity plus the network-reachable service plus IKE’s history make this a credible Q2 target.

Chrome, Adobe, Node, Git — everyone shipped

This wasn’t a Microsoft-only event. Google Chrome pushed its fourth zero-day fix of 2026. Adobe Reader got an emergency update for an actively-exploited flaw that leads to RCE on open-a-document. Node.js, Git for Windows, Windows Secure Boot, and an older AMD microcode issue all got entries in the same 48-hour window. Krebs counts nearly sixty browser-specific vulnerabilities in this cycle alone.

Why it matters for practitioners

Two practical takeaways for the SOC and the patching team:

  • Treat SharePoint Online tenants as exposed until ruled out. The spoofing class of bug frequently chains into credential harvesting; look for anomalous auth events against the site collections you care about.
  • The volume is now the story. Microsoft has shipped 1,000+ CVEs in a calendar year for three consecutive years. The patching programme that worked at 600/year is quietly failing. Review your prioritisation queue against CISA KEV, not CVSS, or you will miss things that are already being exploited.

Full technical breakdowns are in The Hacker News’ and Krebs’ coverage linked above.