April patches fix active zero‑days

A software patch is a repair kit for code, and April’s repair cycle included fixes for bugs attackers were already using. Microsoft patched an actively exploited SharePoint flaw, and Adobe rushed out an Acrobat and Reader update after reporting exploitation of its own. (msrc.microsoft.com) (helpx.adobe.com) Microsoft’s April 2026 Patch Tuesday covered 169 vulnerabilities across its products, according to multiple security roundups tracking the release. One of the most urgent was CVE-2026-32201, a SharePoint Server spoofing bug listed as fixed in SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. (thehackernews.com) (blog.stefan-gossner.com) SharePoint is Microsoft’s on-premises collaboration server, used inside companies to store documents and run internal sites. Stefan Goßner, a longtime Microsoft SharePoint expert, listed CVE-2026-32201 among the April 14 fixes and said Microsoft Support recommends installing the complete April 2026 cumulative updates for SharePoint 2016 and 2019 rather than piecemeal fixes. (blog.stefan-gossner.com) Adobe’s emergency item was narrower but just as urgent for desktop users. In bulletin APSB26-43, published April 11 and updated April 12, Adobe said CVE-2026-34621 in Acrobat and Reader for Windows and macOS was being exploited in the wild and could lead to arbitrary code execution. (helpx.adobe.com) That Adobe flaw was a “prototype pollution” bug, a coding mistake that can let malicious data tamper with how a program handles objects in memory. Adobe assigned it a Priority 1 rating and shipped patched versions 26.001.21411 for the continuous track and 24.001.30362 on Windows for Acrobat 2024 Classic. (helpx.adobe.com) Adobe then followed with a second Acrobat and Reader bulletin, APSB26-44, on April 14. That advisory covered additional critical and important bugs, but Adobe said it was not aware of in-the-wild exploitation for those issues. (helpx.adobe.com 1) (helpx.adobe.com 2) For network defenders, the timing matters because SharePoint servers and PDF readers sit in two common attack paths: internal document systems and files opened by employees. Microsoft’s SharePoint fixes were released on April 14, and Adobe’s exploited Acrobat fix landed three days earlier on April 11. (blog.stefan-gossner.com) (helpx.adobe.com) The SharePoint updates also came with an installation warning for some administrators. Goßner said farms still on the September 2025 cumulative update may need to remove the `NT Authority\system` account from two local security groups first, or the April 2026 SharePoint fixes can fail to install. (blog.stefan-gossner.com) The immediate job now is simple and unglamorous: patch the server software that runs inside the company, and patch the PDF software that runs on employee machines. April’s security cycle turned both into live-response work, not routine maintenance. (blog.stefan-gossner.com) (helpx.adobe.com)