The Patch Flood Is Already Here. And the Real Wave Hasn't Hit.
by Brad Hibbert, COO & CSO//14 min read/
B R I N Q A R E S E A R C H · A P R I L 2 0 2 6
April 2026 delivered the second-largest Microsoft Patch Tuesday on record, a single-day Chrome CVE record, and simultaneous spikes across every major software vendor. We tracked the data, checked the math, and talked to the analysts. Here is what security teams need to know right now.
On April 7, Anthropic announced Project Glasswing alongside a model called Claude Mythos Preview. The short version: Mythos can autonomously find and chain zero-day vulnerabilities in production software at a depth and speed that previously required elite human researchers. Anthropic decided not to release it publicly. Instead they gave access to a closed coalition of roughly 50 organizations including Microsoft, Google, Apple, Cisco, CrowdStrike, and Palo Alto Networks, with a mandate to use it defensively before adversaries develop similar capabilities.
The security industry spent the following week debating the implications. Meanwhile, April's patch releases quietly told the more immediate story. Every major vendor in the Glasswing coalition shipped record or near-record patch volumes. The exploitation window shrank further. And NIST announced this week that the National Vulnerability Database can no longer keep up with CVE volume and is changing how it operates.
The larger wave is still coming. What landed in April is a preview.
The April Numbers: What We Can Confirm
We pulled vendor advisory data and cross-referenced against independent analysis from Tenable, CrowdStrike, Rapid7, BleepingComputer, and the Zero Day Initiative. Where numbers vary across sources due to counting methodology, we flag it. Here is what is confirmed.
Microsoft: Tied the All-Time Record
Microsoft's April Patch Tuesday addressed 167 CVEs, tying the all-time single-month record set in October 2025. Tenable's Senior Staff Research Engineer Satnam Narang confirmed it as "the second-biggest Patch Tuesday ever for Microsoft." On top of those 167, Microsoft shipped patches for 80 additional browser vulnerabilities in a single week, which Rapid7's Adam Barnett called "a new record in that specific category."
To put April in context, here is the full 2026 Patch Tuesday sequence. January was already elevated at 114 CVEs. February dropped to 58 before climbing back to 79 in March. April's 167 is not the culmination of a steady trend. It is a discontinuity.
The Q1 average was 84 CVEs per month. April came in at 167, exactly double. That math matters for capacity planning: if your team sized remediation workflows around an ~80 CVE baseline for Microsoft alone, April required twice that capacity before any other vendor's releases are counted.
April also included two zero-days. CVE-2026-32201, a SharePoint Server spoofing vulnerability, was under active exploitation before the patch shipped. CVE-2026-33825, a privilege escalation in Microsoft Defender, had working public exploit code on GitHub since April 3. The Windows IKE Extensions flaw (CVE-2026-33824) carried a CVSS score of 9.8 with no user interaction required. Every month of 2026 has now included at least one actively exploited zero-day in Microsoft's release.
Google Chrome: 80-Plus CVEs and a Single-Day Record
Chrome shipped over 80 CVEs across April, including 31 in a single April 15 release, five of which were rated Critical. That single-release count is a new record for the Chromium ecosystem. Google also patched its fourth actively exploited Chrome zero-day of 2026 in April alone. January and February each averaged roughly 15 Chrome CVEs per month. The April jump is approximately 280% above March.
Adobe: 61 CVEs Across 12 Products
Adobe patched 61 unique CVEs across Acrobat Reader, InDesign, InCopy, FrameMaker, Connect, ColdFusion, Bridge, Photoshop, Illustrator, Experience Manager Screens, and the DNG SDK. Tenable confirmed that CVE-2026-34621 in Reader/Acrobat had been actively exploited since at least November 2025 — a five-month window of undetected, weaponized exploitation in production environments.
What the Security Industry Is Saying
We track what our peers are publishing, and the response from the vulnerability management community this month is unusually aligned. Vendors that normally compete on messaging are all saying the same thing.
"A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability."
Confirmed April as "the second-biggest Patch Tuesday ever for Microsoft." Also noted that CVE-2026-34621, the Adobe zero-day patched on April 11, showed signs of active exploitation since at least November 2025 — a five-month undetected window.
"A surge of vendor advisories, patches, and CVE disclosures is coming, on top of a backlog that was already strained. The harder part of vulnerability management is what comes after: figuring out which findings represent real, exploitable risk in your specific environment."
"The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI. That is not a reason to slow down; it is a reason to move together, faster."
"There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools. For us, our incoming rate has essentially tripled, making triage a challenge, to say the least."
"This will break the vulnerability management playbook. Glasswing sets the stage for a potential new vulnerability discovery and cataloging system that is closed and controlled by approved partners. This will disrupt the way signature-based network and application vulnerability scanners fundamentally operate, giving way to AI-based tools."
Notice what is missing from every one of those statements: a credible answer to the triage problem. The gap between finding more vulnerabilities and knowing which ones matter in your specific environment does not close by adding more scanners. It closes through cyber risk prioritization, correlating raw findings against your actual environment to surface what requires action now.
The Exploitation Window Is Already Collapsing
Patch volume is one half of the problem. The other half is the speed at which attackers weaponize what they find. These two trends are moving in opposite directions at the same time.
CrowdStrike's 2026 Global Threat Report found AI-enabled adversary attacks increased 89% year over year. The fastest recorded attacker breakout time is now 27 seconds. Average is 29 minutes. In one documented intrusion, data exfiltration began within four minutes of initial access. Meanwhile, Qualys puts the industry average time to remediate a known vulnerability at over 37 days. And Mandiant has documented exploitation happening before a patch is even available.
That gap, 37-plus days of known exposure against attackers who move in minutes, is not a future problem. It is the operational reality for every unpatched vulnerability in your environment today.
The NVD Just Raised a White Flag
There is a third trend running parallel to patch volume and exploitation speed that is getting less attention than it deserves. It directly affects every vulnerability scanner your team relies on.
On April 15, NIST announced that the National Vulnerability Database can no longer enrich all CVEs. CVE submissions increased 263% between 2020 and 2025. NIST enriched nearly 42,000 CVEs in 2025, 45% more than any prior year, and still could not keep pace. At VulnCon26 this week, NIST computer scientist Harold Booth said plainly: "CVE reporting keeps increasing and our ability to keep up is just not there, so our backlog keeps increasing too."
Starting April 15, NIST will only prioritize enrichment for CVEs in the CISA Known Exploited Vulnerabilities catalog, software used by the federal government, and critical software as defined by Executive Order 14028. Everything else is now categorized as "lowest priority." CVEs reported before March 1, 2026 that remain unenriched are being moved to "not scheduled," meaning they may never receive enrichment.
The practical impact: a growing share of the CVEs flooding your scanners now arrive with no enriched CVSS score, no product mapping, and no actionable severity context. Tools that depend on NVD-sourced severity scoring are increasingly working with incomplete data. This is not a future risk. It took effect this week.
For teams using NVD-sourced CVSS scores as a primary triage input: As of April 15, 2026, NIST will no longer routinely enrich most new CVEs. FIRST forecasts 50,000 or more new CVEs in 2026. Cisco Threat Detection researcher Jerry Gamblin projects the number could reach 70,135. At those volumes, the unenriched gap will widen every month — and the severity context your team depends on to prioritize will degrade in parallel.
The daily CVE disclosure rate climbed from approximately 113 per day in 2024 to 131 per day in 2025. At Q1 2026's pace, that rate is approaching 175 CVEs per day — over 1,200 new CVEs entering the ecosystem every week, before the Mythos disclosure wave arrives.
The Real Wave Has Not Hit Yet
Here is what most of the April coverage is getting wrong. The patch surge we are seeing right now is not primarily Mythos. Rapid7's Adam Barnett was direct about it: the browser CVE spike was already in testing pipelines before the April 7 Glasswing announcement. The current volume increase reflects AI-assisted vulnerability tooling broadly, across the entire research community, not just Glasswing partners.
The Mythos wave is still queued.
VulnCheck researcher Patrick Garrity searched the entire CVE database and found exactly one CVE directly attributable to Glasswing at time of writing: CVE-2026-4747, the FreeBSD NFS remote code execution bug. Anthropic stated in the April 7 announcement that over 99% of the vulnerabilities Mythos identified remain unpatched and undisclosed, working through coordinated disclosure. Anthropic committed to a public summary report within 90 days — arriving around July 2026 — covering what Glasswing has fixed and which vulnerabilities can be disclosed.
“If discovery is cheap and getting cheaper, the scarce resource Glasswing actually organizes isn't model access. It's the institutional capacity to close the loop from discovery through verified remediation. ”
— Internet Governance Project, April 2026
When the July disclosures start moving, organizations running software across Glasswing member stacks — which is essentially every enterprise — will face coordinated patch releases from multiple vendors simultaneously. Qualys SVP Shailesh Athalye framed the underlying problem well: "A vulnerability found by any tool does not automatically make it a risk in your environment. A critical flaw behind a WAF that fully blocks the attack vector is not your urgent problem. A moderate-severity flaw in an exposed, unpatched internet-facing service with active exploit code in the wild very much is." More CVEs does not mean more risk automatically. It means more noise that your team has to cut through to find the actual risk.
The Instinct to Add More Scanners Is Wrong
When patch volumes surge, the first instinct is to scale the scanner fleet and add headcount. We understand why. But it is the wrong response.
Your scanners are built to answer one question: what vulnerabilities exist in my environment? That question just got significantly harder. But the question your team actually needs to answer is different: which of these vulnerabilities represent real, exploitable risk to my business right now, with my compensating controls in place, against my most critical assets? That is a vulnerability prioritization problem, not a discovery problem.
Scanners do not answer that question. They surface raw findings. The gap between a scanner finding and a remediated risk passes through deduplication, context enrichment, prioritization, routing, ticketing, tracking, and validation. Every handoff in that chain is a delay. Every delay is exposure time. And the NVD enrichment pullback means even the raw severity data feeding into that process is increasingly incomplete for a growing share of CVEs.
Brinqa's Cyber Risk Graph normalizes vulnerability findings from across your scanner ecosystem — Tenable, Qualys, Rapid7, CrowdStrike, Microsoft Defender, and more — and correlates them against actual asset context, business criticality, compensating controls, and real-world exploit intelligence. That correlation is what turns raw CVE volume into actionable, prioritized risk. This is risk-based vulnerability management operating at the speed the current threat environment demands.
- Aggregation across scanners. When April delivers 247 Microsoft CVEs and 80 Chrome CVEs simultaneously, Brinqa deduplicates, normalizes, and scores them against your specific environment — not a generic CVSS baseline that NVD may no longer be enriching.
- Context-aware prioritization. A critical CVE on an internet-facing unpatched asset with active exploit code is not the same risk as the same CVE on an air-gapped system behind compensating controls. Brinqa knows the difference. Your scanner does not.
- Cross-scanner deduplication. When Tenable, Qualys, and CrowdStrike all flag the same vulnerability, Brinqa collapses it to a single finding with full source attribution. Three tools reporting the same CVE is not three times the risk — it should not generate three times the tickets.
- SmartFlow-driven remediation routing. Findings route automatically to the right owners with context, SLA enforcement, and escalation built in. This is how you compress a 37-day average remediation time toward something that matches attacker speed.
- Exploitation signal integration. Brinqa's BrinqaIQ correlates vulnerability data with active exploitation intelligence so your team is working the vulnerabilities attackers are actually using — not the ones with the highest CVSS scores, some of which may no longer carry enriched NVD data behind them.
The teams that navigate this environment well are not the ones that find the most vulnerabilities. They are the ones that know which vulnerabilities matter and can move on them before the window closes.
Five Recommendations for your Patching Process Before July
Audit your scanner-to-ticket pipeline now. If Tenable or Qualys findings still require manual triage before reaching a remediation owner, that process will not survive a sustained doubling of monthly CVE volume. Map every handoff. Automate where you can. The July Mythos disclosure wave will not wait for a change management meeting.
Change your primary metric. Stop measuring mean time to remediate. Start measuring Average Window of Exposure: the time between a confirmed exploitable vulnerability entering your environment and its validated closure. That is the metric that maps to actual risk when exploitation timelines are measured in hours. Most organizations cannot currently calculate it. That is the problem.
Audit your legacy software surface. Mythos has surfaced vulnerabilities that are 13, 16, and 27 years old in widely deployed production software. If your environment includes open-source components, edge infrastructure, or OT systems without a recent deep security review, assume undiscovered vulnerabilities exist. They almost certainly do.
Build your emergency patch process before you need it. April included unauthenticated RCE flaws with CVSS 9.8. If your change management process takes two weeks to approve an emergency patch on a critical internet-facing asset, compress that to hours for Tier 1 systems. Do it now, when you have time to test the process, not when the next critical zero-day drops.
Watch the July disclosure window closely. Anthropic's 90-day summary report is due around July 2026. When it publishes, coordinated CVE disclosures across multiple Glasswing vendors will follow. Prepare for a disclosure event that will likely exceed anything April delivered. The organizations that are ready will have pre-staged response workflows. The ones that are not will scramble to build them on the day the disclosures drop.
April 2026 is a warning shot. The structural change in the vulnerability landscape is real, and it is not temporary. The teams that treat this month as a signal to build better processes will be positioned for what comes next. The ones that treat it as a one-time spike will not be.
We are tracking vendor advisory volumes, the Mythos disclosure process, and the NVD enrichment situation closely. The Brinqa Cyber Risk Graph is already processing and correlating the April releases across our customers' environments.
If you want to understand your current exposure posture in the context of this month's data, reach out to the Brinqa Experts team.
