April 2026 Patch Tuesday: 167 Fixes, Three Zero-Days

What Happened

Microsoft's April 2026 Patch Tuesday release is one of the heaviest in recent memory, addressing 167 security vulnerabilities across Windows operating systems and related software. Two vulnerabilities are drawing immediate attention from security teams: a zero-day in SharePoint Server that is actively being exploited in the wild, and a publicly disclosed flaw in Windows Defender dubbed "BlueHammer" — a name that should raise flags for any organization relying on Microsoft's built-in endpoint protection.

The same day, Google pushed a fix for Chrome's fourth zero-day of 2026 — a troubling pace that signals attackers are investing heavily in browser exploitation this year. Adobe also issued an emergency patch for Adobe Reader, correcting an actively exploited flaw capable of achieving remote code execution (RCE) on unpatched machines. That combination — a browser zero-day and an RCE in a document reader — is a classic phishing attack chain, and the timing is not coincidental.

Original reporting on this release comes from Brian Krebs at KrebsOnSecurity.

Breaking Down the Biggest Risks

SharePoint Server Zero-Day: SharePoint is widely deployed across healthcare networks, law firms, accounting practices, and small-to-mid-size businesses as a document collaboration and intranet platform. A zero-day — meaning attackers were exploiting it before a patch existed — is the most urgent category of vulnerability. Organizations running on-premises SharePoint should treat this patch as a drop-everything priority. If your SharePoint instance is internet-facing or accessible via VPN without multi-factor authentication, your exposure is significantly elevated.

BlueHammer — Windows Defender Flaw: The public disclosure of a weakness in Windows Defender is particularly significant because Defender is the default endpoint protection layer for the majority of Windows environments. A flaw here can mean attackers are able to bypass or disable the very tool designed to catch them. While "publicly disclosed" doesn't always mean actively exploited yet, the publication of vulnerability details gives threat actors a roadmap. Organizations that have not moved beyond relying solely on Defender — without additional endpoint detection and response (EDR) tooling — should reassess that posture immediately.

Chrome Zero-Day #4 of 2026: Four browser zero-days in fewer than four months is a signal worth heeding. Browsers are the front door for most modern attacks — malicious links, drive-by downloads, and credential harvesting all route through them. Enforcing automatic browser updates across your fleet is non-negotiable, but many small practices and businesses still allow employees to defer updates indefinitely.

Adobe Reader RCE: An actively exploited remote code execution flaw in Adobe Reader is a direct enabler of document-based attacks. Tax professionals, medical billing staff, and anyone processing PDFs from external parties — which is nearly every business — is in the blast radius here. A malicious PDF delivered via email, opened in an unpatched Reader, can hand an attacker full control of that endpoint.

What This Means for Your Business

For healthcare practices: HIPAA's Security Rule requires covered entities to apply security patches in a reasonable and timely manner. "Reasonable and timely" in the context of an actively exploited SharePoint zero-day means days, not weeks. If your practice uses SharePoint for patient records, scheduling, or internal communications, escalate this to your IT team or MSP immediately and document the remediation timeline.

For tax professionals and accounting firms: You are processing sensitive financial data and receiving PDFs from clients daily. The Adobe Reader RCE combined with Chrome's zero-day creates a realistic scenario where a malicious document or link from a spoofed client email compromises your workstation. Ensure Reader is patched and consider enabling Protected Mode in Adobe Acrobat settings as an additional layer.

For small businesses: The BlueHammer disclosure is a reminder that relying on a single layer of endpoint protection — even from a reputable vendor like Microsoft — is insufficient. Layered security means combining Defender with a separate EDR solution, applying patches promptly, enforcing MFA on all remote access, and training staff to recognize phishing attempts. If budget is a constraint, prioritize patching and MFA above all else.

For all readers: 167 patches in a single month is not normal noise — it reflects the accelerating pace at which attackers are discovering and weaponizing vulnerabilities. Patch management is no longer an IT housekeeping task; it is a core business risk function. Organizations without a documented, tested patch management process should treat this month's release as the catalyst to build one.

Immediate Action Checklist

• Apply all April 2026 Windows updates via Windows Update or your patch management platform
• Verify SharePoint Server is patched — prioritize if internet-facing
• Confirm Google Chrome is on the latest version across all workstations (check Help > About Google Chrome)
• Update Adobe Acrobat/Reader to the latest version; disable it entirely if staff don't regularly use it
• Review whether Windows Defender is your sole endpoint protection — if so, evaluate adding an EDR layer
• Remind staff to be skeptical of unexpected PDF attachments and links, even from known contacts