Microsoft January 2026 Patch Tuesday: Critical Updates Required
Microsoft kicked off 2026 with a significant Patch Tuesday release, addressing 114 security vulnerabilities across its product portfolio. Of particular concern is one actively exploited zero-day that CISA has added to its Known Exploited Vulnerabilities (KEV) catalog.
At a Glance
| Metric | Count |
|---|---|
| Total Vulnerabilities | 114 |
| Critical Severity | 8 |
| Important Severity | 106 |
| Zero-Days | 3 |
| Actively Exploited | 1 |
Actively Exploited Zero-Day
CVE-2026-20805 - Desktop Window Manager Information Disclosure
The most critical issue this month is CVE-2026-20805, an information disclosure vulnerability in the Desktop Window Manager (DWM) that is being actively exploited in the wild.
- CVSS Score: 5.5
- Attack Vector: Local
- Privileges Required: Low
- User Interaction: None
CISA has mandated that all federal agencies apply this fix by February 3, 2026.
Critical Remote Code Execution Flaws
Six critical RCE vulnerabilities were patched affecting core Microsoft products:
| CVE | Product | CVSS |
|---|---|---|
| CVE-2026-20854 | Microsoft Excel | 8.8 |
| CVE-2026-20944 | Microsoft Office | 8.8 |
| CVE-2026-20952 | Windows LSASS | 9.8 |
| CVE-2026-20953 | Windows LSASS | 9.8 |
| CVE-2026-20955 | Microsoft Office | 8.8 |
| CVE-2026-20957 | Microsoft Excel | 8.8 |
Windows LSASS Vulnerabilities
The LSASS (Local Security Authority Subsystem Service) flaws are particularly concerning as they could allow remote attackers to execute arbitrary code with SYSTEM privileges. Organizations should prioritize these patches.
Affected Systems:
- Windows Server 2019
- Windows Server 2022
- Windows 10 (all supported versions)
- Windows 11 (all supported versions)Other Notable Vulnerabilities
CVE-2026-20876 - VBS Enclave Privilege Escalation
A critical privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave could enable attackers to obtain Virtual Trust Level 2 (VTL2) privileges.
- CVSS Score: 6.7
- Impact: Subvert security controls, bypass Credential Guard
CVE-2026-21265 - Secure Boot Bypass
A security feature bypass affecting Windows Secure Boot relies on certificates expiring in June and October 2026. Organizations should plan for certificate rotation.
Legacy Driver Removals
Microsoft announced the removal of vulnerable Agere Soft Modem drivers:
agrsm64.sysagrsm.sys
These drivers contained exploitable vulnerabilities and have been blocklisted.
Recommended Actions
- Immediate: Apply CVE-2026-20805 patch (actively exploited)
- High Priority: Patch LSASS RCE vulnerabilities (CVE-2026-20952, CVE-2026-20953)
- Standard: Deploy remaining Critical and Important updates
- Plan: Prepare for Secure Boot certificate rotation
Patch Deployment
# Check for updates via PowerShell
Get-WindowsUpdate -MicrosoftUpdate
# Install all security updates
Install-WindowsUpdate -AcceptAll -AutoRebootReferences
- Microsoft Security Response Center
- BleepingComputer - Microsoft January 2026 Patch Tuesday
- Krebs on Security - Patch Tuesday January 2026
- The Hacker News - Microsoft Fixes 114 Flaws
- CISA Known Exploited Vulnerabilities Catalog
Last updated: January 14, 2026