Microsoft’s January 2026 Patch Tuesday release addresses 114 security vulnerabilities across Windows, Office, and other Microsoft products, including three zero-day vulnerabilities—one actively exploited in the wild and two publicly disclosed.
Vulnerability summary
| Category | Count |
|---|---|
| Total CVEs | 114 |
| Critical | 8 |
| Important | 98+ |
| Moderate | 7 |
| Zero-days | 3 |
| Actively exploited | 1 |
Breakdown by type
| Vulnerability Type | Count | Percentage |
|---|---|---|
| Elevation of Privilege | 57 | 50% |
| Remote Code Execution | 22 | 19% |
| Information Disclosure | 22 | 19% |
| Security Feature Bypass | 7 | 6% |
| Denial of Service | 4 | 4% |
| Spoofing | 2 | 2% |
Zero-day vulnerabilities
CVE-2026-20805: Actively exploited
| Attribute | Value |
|---|---|
| CVSS Score | 5.5 (Medium) |
| Component | Windows Desktop Window Manager (DWM) |
| Type | Information Disclosure |
| Attack Vector | Local |
| Privileges Required | Low |
| User Interaction | None |
| Exploitation | Active |
Technical details:
The vulnerability allows a local attacker with low privileges to read memory addresses associated with the remote ALPC port in Desktop Window Manager.
Why it matters despite medium severity:
While rated as “Information Disclosure,” the vulnerability is actively exploited to leak memory addresses, enabling attackers to bypass ASLR (Address Space Layout Randomization). ASLR bypass is a critical enabler for multi-stage attacks—once memory layout is known, exploiting other vulnerabilities becomes significantly easier.
CISA KEV: Added to the Known Exploited Vulnerabilities catalog with a February 3, 2026 remediation deadline for federal agencies.
CVE-2023-31096: Publicly disclosed (now removed)
| Attribute | Value |
|---|---|
| Component | Windows Agere Soft Modem Driver |
| Type | Elevation of Privilege |
| Status | Driver removed in this update |
Microsoft previously warned about actively exploited vulnerabilities in a third-party Agere Modem driver shipped with Windows. This update removes the vulnerable drivers entirely rather than patching them.
CVE-2026-21265: Publicly disclosed
| Attribute | Value |
|---|---|
| CVSS Score | 6.4 |
| Component | Windows Secure Boot |
| Type | Security Feature Bypass |
| Privileges Required | High |
| Attack Vector | Local |
This vulnerability allows authenticated local attackers with high privileges to bypass security features by exploiting weaknesses in the certificate update mechanism.
Critical vulnerabilities
Microsoft Office RCE (CVE-2026-20952, CVE-2026-20953)
| Attribute | Value |
|---|---|
| CVSS Score | 8.4 |
| Attack Vector | Network |
| User Interaction | Required |
Critical remote code execution flaws in Microsoft Office. Exploitation requires user interaction (opening malicious document).
Microsoft Word RCE (CVE-2026-20944)
| Attribute | Value |
|---|---|
| CVSS Score | 8.4 |
| Type | Out-of-bounds read |
| Authentication | None required |
Unauthenticated attackers can execute arbitrary code through malicious Word documents.
Windows VBS Enclave EoP (CVE-2026-20876)
| Attribute | Value |
|---|---|
| Type | Heap-based buffer overflow |
| Impact | Elevation to VTL2 (Virtual Trust Level 2) |
| Current privileges | High (already elevated) |
A local attacker who already has high privileges can exploit the enclave to elevate into Virtual Trust Level 2 (VTL2)—the highest trust level in Windows virtualization-based security.
Other critical flaws
| Component | Type |
|---|---|
| Windows Hyper-V | Remote Code Execution |
| Windows LDAP | Remote Code Execution |
| Windows OLE | Remote Code Execution |
| .NET Framework | Remote Code Execution |
Products affected
| Product | Patches |
|---|---|
| Microsoft Windows | 93 |
| Microsoft Office | 16 |
| Microsoft Edge | Included |
| Microsoft Defender | Included |
| Azure Services | Included |
| Visual Studio | Included |
Known issues
Windows 11 boot failures
Microsoft is investigating reports that some Windows 11 devices fail to boot with “UNMOUNTABLE_BOOT_VOLUME” errors after installing January 2026 security updates.
Workaround:
- Boot into Windows Recovery Environment
- Select Troubleshoot → Advanced options → Startup Repair
- Run startup repair
Recommendation: Test updates on representative hardware before broad deployment.
Patching priorities
Tier 1: Immediate
| CVE | Reason |
|---|---|
| CVE-2026-20805 | Actively exploited, enables ASLR bypass |
| CVE-2026-20952/53/44 | Critical Office RCE |
| All Critical severity | Maximum impact |
Tier 2: Urgent
| Category | Reason |
|---|---|
| Elevation of Privilege (57) | Privilege escalation enables lateral movement |
| Hyper-V flaws | Virtualization escape risk |
| LDAP vulnerabilities | Domain controller exposure |
Tier 3: Standard cycle
| Category | Reason |
|---|---|
| Information Disclosure | Lower immediate impact |
| Denial of Service | Availability vs. confidentiality |
| Moderate severity | Reduced exploitation likelihood |
Deployment guidance
| Step | Action |
|---|---|
| 1 | Review Microsoft Security Update Guide |
| 2 | Test on representative systems (especially Windows 11) |
| 3 | Monitor for boot issues during initial deployment |
| 4 | Prioritize CVE-2026-20805 for immediate deployment |
| 5 | Deploy critical Office patches |
| 6 | Complete remaining updates within standard cycle |
Detection and monitoring
For CVE-2026-20805 exploitation
| Indicator | Detection Method |
|---|---|
| DWM memory access patterns | EDR behavioral monitoring |
| ALPC port information leakage | Windows event logging |
| Multi-stage attack chains | Correlation of privilege escalation attempts |
General patch compliance
- Use Windows Update for Business or WSUS for deployment tracking
- Monitor Windows Update logs for installation failures
- Verify patch status via Get-HotFix or vulnerability scanners
CVE-2026-20805: A “frequent flyer” component
The Desktop Window Manager (DWM) has become a recurring source of vulnerabilities, earning security researchers’ attention as a high-value exploitation target.
DWM vulnerability history
| Year | CVE Count | Notable Issues |
|---|---|---|
| 2022 | 3 | Multiple EoP vulnerabilities |
| 2023 | 5 | Core shim vulnerabilities |
| 2024 | 6 | Memory corruption issues |
| 2025 | 4 | Information disclosure, EoP |
| 2026 (Jan) | 2 | CVE-2026-20805 + related flaw |
| Total | 20+ | Across 5 years |
The DWM component’s privileged position—handling window composition across all processes—makes it attractive for exploit chain development. Security researcher Marcus Hutchins has described DWM as a “frequent flyer” in Windows vulnerability disclosures.
Exploitation in the wild
Microsoft and CISA confirm CVE-2026-20805 exploitation, with threat intelligence linking early exploitation to:
| Threat actor | Campaign | Use case |
|---|---|---|
| QakBot operators | Banking trojan distribution | ASLR bypass for subsequent RCE |
| Financially motivated actors | Credential theft | Privilege escalation chain |
The vulnerability’s value lies not in direct impact but in enabling other attacks. By leaking memory addresses, attackers can reliably exploit vulnerabilities that would otherwise be mitigated by ASLR.
No workarounds available
Microsoft’s advisory explicitly states:
“There are no workarounds for this vulnerability. Apply the security update as soon as possible.”
This is notable because many vulnerabilities include registry tweaks, feature disabling, or configuration changes as interim mitigations. The lack of workarounds for CVE-2026-20805 means patching is the only remediation option.
Comparing to previous Patch Tuesdays
| Month | Total CVEs | Zero-days | Critical | Notes |
|---|---|---|---|---|
| January 2026 | 114 | 3 | 8 | Current release |
| December 2025 | 72 | 1 | 4 | Holiday reduction |
| November 2025 | 92 | 2 | 6 | Average volume |
| October 2025 | 103 | 4 | 9 | High activity |
| January 2025 | 98 | 2 | 7 | Year-ago comparison |
January 2026’s count of 114 CVEs represents a 16% increase over January 2025, continuing the trend of expanding patch volumes.
Federal deadline implications
CISA’s February 3, 2026 KEV deadline for CVE-2026-20805 creates urgency for federal agencies:
| Requirement | Deadline | Scope |
|---|---|---|
| Patch deployment | February 3, 2026 | All federal civilian executive branch agencies |
| Compliance reporting | 24 hours post-deadline | CISA dashboard |
| Waiver requests | Before deadline | Requires CIO approval |
Private sector organizations tracking KEV for their own patching priorities should treat this deadline as a signal of genuine risk.
Context
January 2026 Patch Tuesday sets the tone for the year with a substantial update addressing the full spectrum of vulnerability types. The actively exploited CVE-2026-20805 demonstrates that even “medium severity” information disclosure can enable sophisticated attack chains when it undermines security fundamentals like ASLR.
The DWM component’s history of vulnerabilities—20+ CVEs since 2022—suggests it warrants ongoing attention from both Microsoft’s security team and enterprise defenders. Organizations should consider DWM-related vulnerabilities as high priority regardless of stated severity.
The removal of vulnerable Agere Modem drivers (rather than patching) reflects Microsoft’s increasing willingness to deprecate legacy components that present ongoing security risk.
Organizations should prioritize the actively exploited zero-day and critical RCE vulnerabilities while monitoring for the reported Windows 11 boot issues that may affect deployment timelines. Given the lack of workarounds for CVE-2026-20805, patching is the only viable remediation.