Microsoft released its first security update of 2026, addressing 112 vulnerabilities across its product ecosystem. Among the patches is a zero-day vulnerability in Desktop Window Manager that has been actively exploited. The update, part of Microsoft’s regular Patch Tuesday, brings the total number of addressed CVEs to over 110 for the second consecutive January.
This Patch Tuesday marks the second month in a row without critical vulnerabilities being disclosed by Microsoft. The January 2026 update continues a trend of addressing a significant volume of security flaws, with this batch containing over 110 CVEs, mirroring the volume from the previous January.
Microsoft’s January 2026 Security Update Addresses Zero-Day
The newly patched zero-day, identified as CVE-2026-20805, is classified as an information disclosure vulnerability by Microsoft. It carries a CVSS rating of 5.5, indicating a moderate severity. An unauthorized attacker could potentially exploit this flaw to gain access to sensitive information on a targeted system.
The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the threat by adding CVE-2026-20805 to its catalog of actively exploited vulnerabilities. This inclusion highlights the agency’s concern about the potential impact of this specific security defect.
Implications of Information Disclosure Vulnerabilities
While information disclosure vulnerabilities are not as frequently exploited as other types, they can still pose significant risks. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted that memory leaks, which this vulnerability may involve, can be crucial for attackers.
According to Childs, memory leaks can enhance the reliability of remote code execution attacks. This means that even though CVE-2026-20805 itself might not grant full system control, it could be a stepping stone for more damaging exploits. The leaked information can weaken existing security measures.
Jack Bicer, director of vulnerability research at Action1, elaborated on the potential consequences. He stated that the memory exposed by exploiting CVE-2026-20805 can compromise defenses and facilitate further attacks. This could lead to a cascade of security breaches.
“This vulnerability increases the risk of successful multi-stage attacks,” Bicer said in an email. “Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure and loss of trust.”
Exploitation Requirements and Affected Components
Microsoft has not provided details on the number of attacks linked to this particular zero-day. However, experts suggest that exploiting CVE-2026-20805 requires an attacker to have local access to the targeted system. This precondition can limit the scope of its immediate impact.
Satnam Narang, senior staff research engineer at Tenable, confirmed this assessment. He added that while Desktop Window Manager components have been frequently addressed in past Patch Tuesday updates, this is the first instance of an information disclosure bug in this component being exploited in the wild.
Narang noted that attackers have historically leveraged vulnerabilities in Desktop Window Manager for privilege escalation, a critical step in gaining deeper access to systems. The patching of this specific flaw aims to prevent such attacks.
Other Vulnerabilities Addressed
Beyond the zero-day, Microsoft’s January update also includes patches for severe vulnerabilities in other products. Notably, CVE-2026-20947 and CVE-2026-20963 affect Microsoft Office SharePoint. Additionally, CVE-2026-20868 impacts the Windows Routing and Remote Access Service.
Several vulnerabilities in Microsoft Office products were also addressed. These include CVE-2026-20952 and CVE-2026-20955, along with CVE-2026-20944, which specifically targets Microsoft Office Word. These patches are crucial for maintaining the security of widely used productivity software.
Microsoft has also flagged eight vulnerabilities with a CVSS rating of 7.8 as being more likely to be exploited in the near future. These vulnerabilities, while not zero-days, warrant prompt attention from users and administrators.
The complete list of security vulnerabilities patched in the January 2026 update is available on Microsoft’s Security Response Center portal. Organizations are advised to apply these updates as soon as possible to protect their systems.
Moving forward, the primary next step for users and organizations is to implement the released security updates from Microsoft promptly. The cybersecurity community will continue to monitor for any new information regarding the exploitation of CVE-2026-20805 and other vulnerabilities. Uncertainties remain regarding the full extent of previous exploitation and potential future attack vectors.