Microsoft has released its initial security update for 2026, addressing a total of 114 security vulnerabilities across Windows operating systems and supported software. The update package includes fixes for one actively exploited zero-day vulnerability and two additional zero-day vulnerabilities that had been publicly disclosed prior to the patch release. Eight of the resolved flaws are rated as "Critical."
Overall Update Details
The January 2026 security update addresses 114 vulnerabilities, with 8 classified as Critical and 106 as Important. This update represents the third-largest January Patch Tuesday, following updates in January 2025 and January 2022.
The vulnerabilities are categorized as follows:
- 57 Elevation of Privilege (EoP) flaws
- 22 Remote Code Execution (RCE) flaws
- 22 Information Disclosure (ID) flaws
- 5 Spoofing flaws
- 3 Security Feature Bypass (SFB) flaws
- 2 Denial of Service (DoS) flaws
These counts specifically refer to vulnerabilities released by Microsoft on this Patch Tuesday and do not include separate fixes for Microsoft Edge vulnerabilities released earlier in the month.
Actively Exploited and Publicly Disclosed Zero-Day Vulnerabilities
Three zero-day vulnerabilities were patched in this release:
-
CVE-2026-20805 - Desktop Window Manager Information Disclosure Vulnerability: This flaw, with a CVSS score of 5.5, is actively being exploited. It affects the Desktop Window Manager (DWM) and could allow a local, authorized attacker to disclose user-mode memory information, specifically a section address from a remote Asynchronous Local Procedure Call (ALPC) port. Security experts indicate that vulnerabilities of this nature can be used to bypass Address Space Layout Randomization (ASLR). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply fixes by February 3, 2026. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) are credited with its discovery.
-
CVE-2026-21265 - Secure Boot Certificate Expiration Security Feature Bypass Vulnerability: This publicly disclosed security feature bypass vulnerability, with a CVSS score of 6.4, addresses Windows Secure Boot certificates from 2011 that are nearing expiration in June and October 2026. The update renews these certificates to maintain the Secure Boot trust chain and ensure continued verification of boot components. Microsoft previously advised customers in November 2025 to update to 2023 counterparts to avoid potential booting disruptions.
-
CVE-2023-31096 - Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability: This publicly disclosed vulnerability, with a CVSS score of 7.8, concerns third-party Agere Modem drivers (
agrsm64.sysandagrsm.sys) that have been included in Windows for decades. These drivers were previously exploited to gain SYSTEM permissions. The update removes these drivers from Windows. Zeze with TeamT5 is credited for this discovery. Microsoft also removed another Agere Modem driver (ltmdm64.sys) in October 2025 due to a separate actively exploited privilege escalation vulnerability (CVE-2025-24990).
Other Critical and Significant Vulnerabilities
Among the eight Critical vulnerabilities addressed, several significant issues include:
- Microsoft Office Remote Code Execution Vulnerabilities (CVE-2026-20952, CVE-2026-20953): These vulnerabilities can be triggered by viewing a malicious message in the Preview Pane of Microsoft Office applications.
- Microsoft Office Excel Remote Code Execution Vulnerabilities (CVE-2026-20957, CVE-2026-20955)
- Microsoft Office Word Remote Code Execution Vulnerability (CVE-2026-20944)
- Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability (CVE-2026-20854)
- Microsoft Graphics Component Elevation of Privilege Vulnerability (CVE-2026-20822)
- Windows Virtualization-Based Security (VBS) Enclave Privilege Escalation (CVE-2026-20876): Rated with a CVSS score of 6.7, this flaw allows an attacker to obtain Virtual Trust Level 2 (VTL2) privileges, potentially subverting security controls and compromising Windows' virtualization-based security.
Context and Additional Updates
In addition to Microsoft's updates, other vendors have also issued security patches:
- Mozilla released updates for Firefox (version 147) and Firefox ESR (version 140.7), resolving 34 vulnerabilities. Two of these (CVE-2026-0891 and CVE-2026-0892) are suspected to be under active exploitation.
- Separate patches for two security flaws in Microsoft Edge were released since the December 2025 update, including a spoofing flaw in its Android app (CVE-2025-65046) and an insufficient policy enforcement issue in Chromium's WebView tag (CVE-2026-0628). Google Chrome and Microsoft Edge updates are anticipated, following a high-severity vulnerability in Chrome WebView (CVE-2026-0628) that was resolved in early January.