Microsoft’s January 2026 Patch Tuesday stands out as one of the largest in the past four years. The update fixes 113 vulnerabilities across Windows, Microsoft Office, and related components, including one actively exploited zero-day and eight critical flaws.
Zero-day Vulnerability (CVE-2026-20805) affects the Windows Desktop Window Manager (DWM). It allows attackers to leak memory addresses via a remote ALPC port. While classified as an information disclosure issue, experts warn it can be used as a part of more complex, multi-stage attacks. According to the Zero Day Initiative, this type of vulnerability is “unusually” being actively exploited.
Eight critical vulnerabilities allow remote code execution or privilege escalation. Two of them (CVE-2026-20952, CVE-2026-20953) impact Microsoft Office and can be exploited via Outlook’s Preview Pane, requiring no user interaction. Another critical issue in Windows LSASS (CVE-2026-20854) could enable credential theft, lateral movement, and even domain compromise.
Additional critical flaws affect Windows Graphics, Virtualization-Based Security, Excel, and Word, potentially allowing attackers to gain System-level access.
Microsoft also highlights CVE-2026-21265, related to Secure Boot certificate expiration. Organizations that fail to prepare before June 2026 may face system boot failures and new attack vectors. Microsoft released guidance in mid-2025, but security experts stress that preparation time is running out.
Why this update matters
With 113 CVEs, January 2026 becomes the third-largest January Patch Tuesday since Microsoft’s modern security bulletin system launched in 2017. Microsoft also removed a long-deprecated, vulnerable driver (Agere Soft Modem) rather than patching it, reinforcing its push to reduce legacy risk.
Updates are available via Windows Update, WSUS, and Microsoft Update Catalog. Timely patching remains critical to reduce exposure and maintain system security.
