Back
Technology

Microsoft Security Updates Address Multiple Exploited Vulnerabilities in Windows and Office

Generated on: Last updated: 8 sources
View source

Microsoft Addresses Critical Vulnerabilities in Early 2026 Security Updates

Microsoft has released multiple rounds of security updates in early 2026, addressing a significant number of vulnerabilities across its Windows operating systems and software suites, including several that were actively exploited prior to patching.

January 2026 Patch Tuesday Overview

On its January 2026 Patch Tuesday, Microsoft released updates addressing 114 security flaws. According to the company's classification, eight of these were rated as "Critical," while 106 were rated as "Important."

The vulnerabilities included 57 elevation of privilege flaws, 22 remote code execution flaws, 22 information disclosure flaws, five spoofing flaws, three security feature bypass flaws, and two denial of service flaws.

Actively Exploited and Publicly Disclosed Flaws

The January updates patched three zero-day vulnerabilities:

  • CVE-2026-20805: An information disclosure vulnerability in the Desktop Window Manager (DWM) that was actively exploited. Microsoft stated it could allow a local attacker to disclose memory information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3, 2026.
  • CVE-2026-21265: A publicly disclosed security feature bypass related to Windows Secure Boot. It addresses the impending expiration of 2011 root certificates used in the Secure Boot trust chain, which are set to begin expiring in June 2026.
  • CVE-2023-31096: A publicly disclosed elevation of privilege vulnerability in third-party Agere Soft Modem drivers (agrsm64.sys and agrsm.sys). Microsoft removed these drivers from Windows as part of the update.
Critical Vulnerabilities

Among the eight Critical-rated vulnerabilities patched in January were remote code execution flaws in Microsoft Office (CVE-2026-20952, CVE-2026-20953), Microsoft Excel (CVE-2026-20957, CVE-2026-20955), and Microsoft Word (CVE-2026-20944). A critical elevation of privilege flaw was also patched in the Windows Virtualization-Based Security (VBS) Enclave (CVE-2026-20876).

Emergency Office Update in January

Separate from the scheduled Patch Tuesday release, Microsoft issued emergency out-of-band updates for a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509.

  • The flaw is a security feature bypass with a CVSS score of 7.8, affecting Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.
  • Microsoft stated exploitation requires an attacker to send a malicious Office file and convince the user to open it; the Preview Pane is not an attack vector. The vulnerability bypasses protections for unsafe COM and OLE controls.
  • Patches were released for most supported versions. For Office 2016 and 2019, specific updates were required (e.g., version 16.0.10417.20095 for Office 2019). Microsoft also provided a manual Windows Registry modification as an interim mitigation.
  • CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, with a federal agency remediation deadline of February 16, 2026.

February 2026 Patch Tuesday Overview

Microsoft's February 2026 Patch Tuesday addressed 58 vulnerabilities, five of which were rated "Critical." The update included fixes for six actively exploited zero-day vulnerabilities, three of which had also been publicly disclosed.

Actively Exploited Zero-Days Patched in February

The six patched zero-days were:

  • CVE-2026-21510: A Windows Shell security feature bypass flaw. Microsoft and Google's Threat Intelligence Group reported it was actively exploited to bypass the SmartScreen prompt, potentially leading to malware execution.
  • CVE-2026-21513: A security feature bypass in the MSHTML framework.
  • CVE-2026-21514: A security feature bypass in Microsoft Word, exploitable by opening a malicious file.
  • CVE-2026-21519: An elevation of privilege vulnerability in the Desktop Window Manager.
  • CVE-2026-21525: A denial of service vulnerability in Windows Remote Access Connection Manager.
  • CVE-2026-21533: An elevation of privilege vulnerability in Windows Remote Desktop Services.
Secure Boot Certificate Rollout

The February updates also began a phased rollout of new Secure Boot certificates to replace the expiring 2011 certificates.

Additional Vendor Updates

During this period, other software vendors released security updates:

  • Mozilla released updates for Firefox and Firefox ESR, resolving 34 vulnerabilities, two of which were suspected to be under active exploitation.
  • Google and Microsoft released updates for Chrome and Edge browsers, including a fix for a high-severity vulnerability in Chrome WebView (CVE-2026-0628).