Microsoft’s January 2026 Patch Tuesday security release shipped fixes for 114 vulnerabilities, including three zero-days (one actively exploited) and eight Critical issues. The bulk of the fixes land in Windows, with additional patches across Office and other Microsoft components. (BleepingComputer)
At-a-glance highlights
- Total fixed: 114 vulnerabilities (Microsoft’s count for the day’s release). (BleepingComputer)
- Zero-days: 3 total — 1 exploited in the wild, 2 publicly disclosed at release. (BleepingComputer)
- Vuln mix (largest buckets): 57 Elevation of Privilege, 22 Remote Code Execution, 22 Information Disclosure. (BleepingComputer)
- CISA KEV: The exploited zero-day is listed in CISA’s Known Exploited Vulnerabilities catalogue (a strong “patch now” signal for many orgs). (NVD)
Zero-days fixed in January 2026
1) Actively exploited: Windows Desktop Window Manager (DWM) info disclosure
- CVE-2026-20805 — Desktop Window Manager Information Disclosure
- Status: Exploited in the wild (Microsoft-confirmed). (BleepingComputer)
- What it enables: Local attackers can disclose sensitive memory-related information (Microsoft describes leaking a section address from a remote ALPC port). This type of leak is often useful as part of a larger exploit chain (e.g., to help bypass mitigations like ASLR). (BleepingComputer)
- Links: Microsoft advisory for CVE-2026-20805 | NVD
2) Publicly disclosed: Secure Boot certificate expiration / trust chain maintenance
- CVE-2026-21265 — Secure Boot Certificate Expiration Security Feature Bypass
- Status: Publicly disclosed. (BleepingComputer)
- What to know: Microsoft warned that Secure Boot certificates issued in 2011 are nearing expiry (2026) and that systems not updated may face increased risk of Secure Boot bypass scenarios; January updates renew certificates to preserve the trust chain. (BleepingComputer)
- Links: Microsoft advisory for CVE-2026-21265 | NVD
3) Publicly disclosed: Removal of vulnerable legacy Agere modem drivers
- CVE-2023-31096 — Windows Agere Soft Modem Driver Elevation of Privilege
- Status: Publicly disclosed (Microsoft noted public exploit code / disclosure context). (BleepingComputer)
- What changed: Microsoft removed the vulnerable agrsm64.sys / agrsm.sys drivers in the January cumulative updates (a “remove the component” style fix). (BleepingComputer)
- Links: Microsoft advisory for CVE-2023-31096 | NVD
What defenders should prioritise
- Patch CVE-2026-20805 first across Windows estate (workstations + servers). It’s actively exploited, and CISA flags it as known-exploited — even though it’s “only” an info disclosure, it can be valuable in real-world exploit chains. (BleepingComputer)
- Do not defer Secure Boot certificate updates (CVE-2026-21265), especially for fleets with long-lived images, offline devices, or strict boot-chain requirements. (BleepingComputer)
- Validate driver/legacy hardware impacts from Agere modem driver removals (CVE-2023-31096) in any niche environments that may still depend on soft modem functionality (including some industrial/legacy setups). (BleepingComputer)