On Tuesday, Microsoft unveiled its first security update for 2026, addressing a total of 114 vulnerabilities, including a notable flaw that has been actively exploited in the wild. Among these vulnerabilities, eight have been classified as Critical, while 106 are deemed Important in severity. The breakdown reveals that 58 vulnerabilities are related to privilege escalation, followed by 22 concerning information disclosure, 21 linked to remote code execution, and five categorized as spoofing flaws. According to data from Fortra, this update represents the third-largest January Patch Tuesday since January 2022 and January 2025.
In addition to the January updates, Microsoft has also resolved two security issues in its Edge browser since the December 2025 Patch Tuesday. These include a spoofing vulnerability in the Android app (CVE-2025-65046, CVSS score: 3.1) and a case of insufficient policy enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS score: 8.8).
Details on Vulnerabilities
The vulnerability that has garnered attention due to its exploitation is CVE-2026-20805 (CVSS score: 5.5), which pertains to information disclosure within the Desktop Window Manager (DWM). The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have played pivotal roles in identifying and reporting this flaw. Microsoft elaborated in an advisory that the exposure of sensitive information could allow an authorized attacker to disclose information locally, specifically a section address from a remote ALPC port, which is part of user-mode memory.
While details regarding the exploitation methods remain scarce, Adam Barnett, lead software engineer at Rapid7, noted that DWM’s role in rendering everything displayed on a Windows system makes it a prime target, combining privileged access with universal availability. Barnett explained that exploitation could lead to improper disclosure of an ALPC port section address, which is crucial for coordinating actions between Windows components.
Previously, Microsoft addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051, CVSS score: 7.8), which was linked to multiple threat actors and the distribution of malware such as QakBot. Satnam Narang, senior staff research engineer at Tenable, referred to DWM as a “frequent flyer” on Patch Tuesday, having seen 20 CVEs patched since 2022.
Jack Bicer, director of vulnerability research at Action1, emphasized that the vulnerability could be exploited by a locally authenticated attacker to disclose information and bypass critical security measures like Address Space Layout Randomization (ASLR). Kev Breen, senior director of cyber threat research at Immersive, elaborated that revealing memory addresses could enable attackers to combine this flaw with other code execution vulnerabilities, transforming complex exploits into practical attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to implement the latest fixes by February 3, 2026. Another noteworthy vulnerability is CVE-2026-21265 (CVSS score: 6.4), which concerns a security feature bypass affecting Secure Boot Certificate Expiration, potentially allowing attackers to undermine a critical security mechanism that ensures firmware authenticity during the boot process.
Secure Boot Certificates and Driver Removals
In November 2025, Microsoft announced the expiration of three Windows Secure Boot certificates issued in 2011, effective June 2026. Customers are urged to transition to their 2023 counterparts to avoid potential disruptions:
- Microsoft Corporation KEK CA 2011 (June 2026) – Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX)
- Microsoft Windows Production PCA 2011 (October 2026) – Windows UEFI CA 2023 (for signing the Windows boot loader)
- Microsoft UEFI CA 2011 (June 2026) – Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs)
Microsoft cautioned that failure to update these certificates could affect the secure boot capabilities of various personal and business devices. Additionally, the latest update has removed Agere Soft Modem drivers “agrsm64.sys” and “agrsm.sys,” which were found to be vulnerable to a local privilege escalation flaw (CVE-2023-31096, CVSS score: 7.8) that could grant an attacker SYSTEM permissions.
In a similar vein, Microsoft had previously removed another Agere Modem driver, “ltmdm64.sys,” following the discovery of a privilege escalation vulnerability (CVE-2025-24990, CVSS score: 7.8) that allowed for administrative privileges. Also noteworthy is CVE-2026-20876 (CVSS score: 6.7), a critical privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave, which could enable an attacker to gain Virtual Trust Level 2 (VTL2) privileges, compromising advanced security controls.
Mike Walters, president and co-founder of Action1, highlighted the severity of this flaw, stating that it undermines the security boundary designed to protect Windows, allowing attackers to infiltrate one of the most trusted execution layers of the system. Although exploitation requires high privileges, the implications are significant, necessitating prompt patching to maintain trust in Windows security frameworks.
Software Patches from Other Vendors
Alongside Microsoft’s extensive updates, several other vendors have also released security patches to address various vulnerabilities, including:
- Adobe
- Amazon Web Services
- AMD
- Arm
- ASUS
- Broadcom (including VMware)
- Cisco
- ConnectWise
- D-Link
- Dell
- Devolutions
- Drupal
- Elastic
- F5
- Fortinet
- Fortra
- Foxit Software
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hikvision
- HP
- HP Enterprise (including Aruba Networking and Juniper Networks)
- IBM
- Imagination Technologies
- Lenovo
- Linux distributions (AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu)
- MediaTek
- Mitel
- Mitsubishi Electric
- MongoDB
- Moxa
- Mozilla Firefox and Firefox ESR
- NETGEAR
- Node.js
- NVIDIA
- ownCloud
- QNAP
- Qualcomm
- Ricoh
- Samsung
- SAP
- Schneider Electric
- ServiceNow
- Siemens
- SolarWinds
- SonicWall
- Sophos
- Spring Framework
- Synology
- TP-Link
- Trend Micro
- Veeam
