Microsoft has released its first significant security update of 2026, addressing a substantial number of vulnerabilities. The January Patch Tuesday addresses 114 security flaws, with eight classified as Critical and 106 as Important. Notably, one vulnerability has been actively exploited in the wild, prompting urgent attention from cybersecurity professionals worldwide.
This latest batch of patches is particularly extensive, marking the third-largest January Patch Tuesday in recent years, following similar large releases in January 2025 and January 2022. The update includes fixes for privilege escalation, information disclosure, remote code execution, and spoofing flaws across various Microsoft products.
Microsoft Addresses Actively Exploited Vulnerability in Desktop Window Manager
The most pressing issue highlighted in this update is CVE-2026-20805, an information disclosure flaw affecting the Desktop Window Manager (DWM). This vulnerability, with a CVSS score of 5.5, has been confirmed to be exploited by attackers in real-world scenarios. While precise details regarding the scale or actors behind the exploitation remain scarce, its inclusion in Microsoft’s advisories underscores its immediate threat.
Microsoft explains that the vulnerability “allows an authorized attacker to disclose information locally” by exposing sensitive user-mode memory addresses related to Remote ALPC ports. This disclosure could provide attackers with crucial insights for further malicious activities.
Experts note that the Desktop Window Manager, responsible for rendering the graphical interface on Windows systems, presents an appealing target due to its privileged access and widespread use across nearly all processes. Adam Barnett, lead software engineer at Rapid7, commented that exploitation results in the “improper disclosure of an ALPC port section address,” which is vital for inter-component communication in Windows.
This is not the first time DWM has been implicated in actively exploited vulnerabilities. In May 2024, Microsoft patched a zero-day flaw (CVE-2024-30051) in DWM, described as a privilege escalation vulnerability linked to the distribution of malware like QakBot. Satnam Narang, senior staff research engineer at Tenable, referred to DWM as a frequent target, noting that 20 CVEs related to this component have been addressed since 2022.
The implications of CVE-2026-20805 extend to undermining core security mechanisms. Jack Bicer, director of vulnerability research at Action1, stated that the vulnerability can be exploited by a locally authenticated attacker to compromise defenses such as Address Space Layout Randomization (ASLR). ASLR is a critical operating system feature designed to prevent memory-based exploits like buffer overflows.
Kev Breen, senior director of cyber threat research at Immersive, elaborated that by revealing memory addresses, this vulnerability can be chained with other code execution flaws, transforming theoretical attacks into practical and repeatable ones. Recognizing the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that U.S. Federal Civilian Executive Branch agencies apply the necessary patches by February 3, 2026.
Other Notable Vulnerabilities and Security Concerns
Beyond the actively exploited flaw, the January update also addresses other significant vulnerabilities. One notable issue is CVE-2026-21265, a security feature bypass impacting Secure Boot Certificate Expiration. This vulnerability, with a CVSS score of 6.4, could potentially allow an attacker to circumvent a critical security process that verifies the authenticity of firmware and prevents malicious code execution during the boot process.
This addresses a broader concern for Microsoft and its users. In November 2025, Microsoft announced the impending expiration of three Windows Secure Boot certificates issued in 2011, with deadlines set for June and October 2026. The company urged customers to upgrade to their 2023 counterparts to maintain secure booting capabilities. Failure to update these certificates before their expiration could prevent certain devices from booting securely.
The latest update also includes the removal of Agere Soft Modem drivers, “agrsm64.sys” and “agrsm.sys,” which were previously included with the operating system. These third-party drivers were susceptible to a local privilege escalation flaw, CVE-2023-31096 (CVSS score: 7.8), that could grant attackers SYSTEM-level permissions. This follows a similar action in October 2025, where Microsoft removed another Agere Modem driver, “ltmdm64.sys,” due to in-the-wild exploitation of a privilege escalation vulnerability.
Another critical vulnerability addressed is CVE-2026-20876 (CVSS score: 6.7) within the Windows Virtualization-Based Security (VBS) Enclave. This privilege escalation flaw could allow an attacker to attain Virtual Trust Level 2 (VTL2) privileges, enabling them to bypass security controls, establish persistent access, and evade detection. Mike Walters, president and co-founder of Action1, highlighted the severity, noting that it “breaks the security boundary designed to protect Windows itself,” potentially compromising virtualization-based security and advanced defenses.
Software Patches from Other Vendors
In addition to Microsoft’s extensive security update, numerous other vendors have also released patches this month to address various vulnerabilities. This includes updates from ABB, Adobe, Amazon Web Services, AMD, Arm, ASUS, Broadcom (including VMware), Cisco, ConnectWise, Dassault Systèmes, Dell, Devolutions, Drupal, Elastic, F5, Fortinet, Fortra, Foxit Software, FUJIFILM, Gigabyte, GitLab, Google (Android, Pixel, Chrome, Cloud), Grafana, Hikvision, HP, HP Enterprise, IBM, Imagination Technologies, Lenovo, various Linux distributions, MediaTek, Mitel, Mitsubishi Electric, MongoDB, Moxa, Mozilla (Firefox and Firefox ESR), n8n, NETGEAR, Node.js, NVIDIA, ownCloud, QNAP, Qualcomm, Ricoh, Samsung, SAP, Schneider Electric, ServiceNow, Siemens, SolarWinds, SonicWall, Sophos, Spring Framework, Synology, TP-Link, Trend Micro, and Veeam.
The widespread nature of these updates across the software ecosystem emphasizes the ongoing and evolving threat landscape. Users and organizations are advised to prioritize applying these patches promptly to mitigate potential risks. The inclusion of an actively exploited vulnerability by Microsoft highlights the immediate need for vigilance and timely patching, especially for critical infrastructure and sensitive data environments. The coming weeks will likely see further analysis of the exploited DWM vulnerability and potential guidance from security researchers on specific exploitation techniques.