Microsoft January 2026 Patch Tuesday Fixes 3 Zero-Days, 114 Flaws Summary:
Summary:
As part of the January Patch Tuesday, Microsoft addresses a total of 114 flaws, including zero-days. Of the 114 flaws addressed, there were 57 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 22 Remote Code Execution vulnerabilities, 22 Information Disclosure vulnerabilities, 2 Denial of Service vulnerabilities, and 5 Spoofing vulnerabilities. 8 flaws have been rated critical in severity, which could allow actors to elevate privileges and execute code remotely on vulnerable systems:
Security Officer Comments:
This month’s Patch Tuesday addresses three zero-day vulnerabilities, one of which is actively being exploited in attacks, while the other two have been publicly disclosed. The actively exploited zero-day, tracked as CVE-2026-20805, pertains to an information disclosure flaw in the Desktop Window Manager. Successful exploitation could allow authorized local attackers to read sensitive user-mode memory, specifically in a section address associated with a remote Advanced Local Procedure Call (ALPC) port.
In addition to the actively exploited flaw, Microsoft addressed two publicly disclosed zero-day vulnerabilities. The first, tracked as CVE-2026-21265, is a secure boot certification expiration security feature bypass vulnerability. According to Microsoft, Secure Boot certificates issued in 2011 are set to expire in 2026. As such, this could enable actors to bypass Secure Boot protections on systems that are not updated. Note: the latest security updates released by Microsoft renew the affected certificates to preserve the Secure Boot trust chain and allow continued verification of boot components.
The second publicly disclosed zero-day, tracked as CVE-2023-31096, affects third-party Agere Soft Modem drivers that are shipped natively with supported Windows operating systems. This elevation of privilege vulnerability had previously been exploited to gain administrative rights on compromised systems. As part of the January 2026 cumulative updates, Microsoft has fully removed the vulnerable agrsm64.sys and agrsm.sys drivers from Windows.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/mi...rts/Microsoft-Patch-Tuesday-January-2026.html
Link(s):
https://www.bleepingcomputer.com/ne...26-patch-tuesday-fixes-3-zero-days-114-flaws/
As part of the January Patch Tuesday, Microsoft addresses a total of 114 flaws, including zero-days. Of the 114 flaws addressed, there were 57 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 22 Remote Code Execution vulnerabilities, 22 Information Disclosure vulnerabilities, 2 Denial of Service vulnerabilities, and 5 Spoofing vulnerabilities. 8 flaws have been rated critical in severity, which could allow actors to elevate privileges and execute code remotely on vulnerable systems:
- CVE-2026-20822: Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2026-20952, CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability
- CVE-2026-20957, CVE-2026-20955: Microsoft Excel Remote Code Execution Vulnerability
- CVE-2026-20944: Microsoft Word Remote Code Execution Vulnerability
- CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
- CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
- Adobe released security updates for InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Substance 3D Stager, Substance 3D Painter, Substance 3D Sampler, Coldfusion, and Substance 3D Designer.
- Cisco released security updates for an Identity Services Engine (ISE) vulnerability with a public proof-of-concept exploit code
- Fortinet released security updates for multiple products, including fixes for two RCEs.
- D-Link confirmed that a new actively exploited vulnerability impacts end-of-life routers.
- Google has released Android's January security bulletin, which includes a fix for one critical "DD+ Codec" flaw that impacts Dolby components.
- jsPDF fixed a critical vulnerability that could be used to smuggle arbitrary files from a server while generating PDFs.
- n8n fixed a maximum-severity vulnerability dubbed "Ni8mare" that can be used to hijack servers.
- SAP released the January security updates for multiple products, including a fix for a 9.9/10 code injection flaw in SAP Solution Manager.
- ServiceNow disclosed a critical privilege escalation vulnerability in the ServiceNow AI Platform.
- Trend Micro patched a critical security flaw in Apex Central (on-premise) that could allow attackers to execute arbitrary code with SYSTEM privileges.
- Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical RCE vulnerability.
Security Officer Comments:
This month’s Patch Tuesday addresses three zero-day vulnerabilities, one of which is actively being exploited in attacks, while the other two have been publicly disclosed. The actively exploited zero-day, tracked as CVE-2026-20805, pertains to an information disclosure flaw in the Desktop Window Manager. Successful exploitation could allow authorized local attackers to read sensitive user-mode memory, specifically in a section address associated with a remote Advanced Local Procedure Call (ALPC) port.
In addition to the actively exploited flaw, Microsoft addressed two publicly disclosed zero-day vulnerabilities. The first, tracked as CVE-2026-21265, is a secure boot certification expiration security feature bypass vulnerability. According to Microsoft, Secure Boot certificates issued in 2011 are set to expire in 2026. As such, this could enable actors to bypass Secure Boot protections on systems that are not updated. Note: the latest security updates released by Microsoft renew the affected certificates to preserve the Secure Boot trust chain and allow continued verification of boot components.
The second publicly disclosed zero-day, tracked as CVE-2023-31096, affects third-party Agere Soft Modem drivers that are shipped natively with supported Windows operating systems. This elevation of privilege vulnerability had previously been exploited to gain administrative rights on compromised systems. As part of the January 2026 cumulative updates, Microsoft has fully removed the vulnerable agrsm64.sys and agrsm.sys drivers from Windows.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/mi...rts/Microsoft-Patch-Tuesday-January-2026.html
Link(s):
https://www.bleepingcomputer.com/ne...26-patch-tuesday-fixes-3-zero-days-114-flaws/