Patch Tuesday:​ January 2026's Microsoft Security Updates

Published: January 13, 2026

Microsoft has released its January 2026 Patch Tuesday security updates, addressing 114 vulnerabilities across its product ecosystem. This month's update includes three zero-day vulnerabilities, with one actively exploited in the wild, making immediate deployment critical for organizations worldwide.

Executive Summary

The January 2026 Patch Tuesday represents the first major security release of the year, featuring fixes for widespread vulnerabilities affecting Windows operating systems, Microsoft Office applications, and server components. Security teams should prioritize deployment of these updates, particularly for systems exposed to the actively exploited Desktop Window Manager vulnerability.

Key Statistics:

• Total CVEs: 114 vulnerabilities fixed
• Critical severity: 8 vulnerabilities
• Zero-days: 3 (1 actively exploited, 2 publicly disclosed)
• Remote Code Execution flaws: 22 vulnerabilities
• Elevation of Privilege bugs: 56 vulnerabilities

Critical Zero-Day Vulnerabilities

CVE-2026-20805: Desktop Window Manager Information Disclosure (Actively Exploited)

The most pressing threat this month is an information disclosure flaw affecting Desktop Window Manager, which Microsoft confirms is being actively exploited by attackers. The vulnerability carries a CVSS score of 5.5 and allows authenticated attackers to access sensitive information on vulnerable systems.

This vulnerability enables attackers to leak section addresses from remote ALPC ports, which threat actors likely use in the next stage of their exploit chains to achieve arbitrary code execution. While information disclosure bugs are less commonly exploited than code execution vulnerabilities, this case demonstrates how memory leaks enable reliable exploitation of subsequent vulnerabilities.

Affected Systems:

• All supported Windows 11 versions (25H2, 24H2, 23H2)
• Windows 10 (Extended Security Updates customers)
• Windows Server editions

Mitigation Priority: IMMEDIATE

CVE-2026-21265: Secure Boot Certificate Expiration

Microsoft certificates stored in the UEFI Key Enrollment Key and database are nearing their expiration dates, requiring updates to maintain Secure Boot functionality and prevent future system issues. While exploitation likelihood is low, failure to address this vulnerability could result in boot failures and loss of system access starting in mid-2026.

CVSS Score: 6.4
Status: Publicly disclosed, not exploited
Impact: Systems may fail to boot or receive security updates after certificate expiration

CVE-2023-31096 & CVE-2024-55414: Legacy Modem Driver Vulnerabilities

Microsoft is removing vulnerable third-party Agere Soft Modem drivers that ship natively with supported Windows operating systems. The January updates remove the following drivers:

• agrsm64.sys (x64)
• agrsm.sys (x86)
• smserl64.sys (x64)
• smserial.sys (x86)

Organizations using modem hardware dependent on these drivers should note that this hardware will no longer function in Windows following the update.

Critical Remote Code Execution Vulnerabilities

CVE-2026-20854: Windows LSASS RCE

This critical vulnerability affects Windows Local Security Authority Subsystem Service with a CVSS score of 7.5, enabling authorized attackers to execute code on affected systems over a network. Successful exploitation does not require elevated privileges, though Microsoft assesses exploitation as "less likely."

Microsoft Office Vulnerabilities

Several critical remote code execution flaws affect Microsoft Office applications:

CVE-2026-20944 (Word): An out-of-bounds read vulnerability that could enable attackers to execute arbitrary code if victims open specially crafted malicious files. CVSS: 7.8

CVE-2026-20957 (Excel): An integer underflow vulnerability that could be leveraged by unauthorized attackers to execute arbitrary code, requiring victims to open malicious files. CVSS: 7.8

CVE-2026-20952, CVE-2026-20953 (Office): Both vulnerabilities carry CVSS scores of 8.4 and affect multiple Office components. Microsoft notes that the Preview Pane is an attack vector for these vulnerabilities, meaning exploitation does not require targets to open files.

Security Recommendation: Organizations concerned about Office-based attacks should consider disabling the Preview Pane feature to prevent exploitation without user interaction.

Critical Elevation of Privilege Vulnerabilities

CVE-2026-20822: Windows Graphics Component

This use-after-free vulnerability could enable attackers to obtain SYSTEM privileges on affected systems, though successful exploitation requires winning a race condition. CVSS: 7.8

CVE-2026-20876: Windows VBS Enclave

A heap-based buffer overflow in Windows Virtualization-Based Security Enclave could grant attackers Virtual Trust Level 2 privileges on affected systems. VTL2 represents the highest privileged level in VBS, and this marks one of the first VTL escalation bugs patched within the VBS system. CVSS: 6.7

Windows 11 Updates: KB5074109 & KB5073455

KB5074109 (Windows 11 25H2 & 24H2)

This update advances systems to:

• Build 26200.7623 (Windows 11 25H2)
• Build 26100.7623 (Windows 11 24H2)

Key Fixes:

The update addresses a battery issue affecting devices with Neural Processing Units that caused systems to stay powered on when idle, impacting power performance.

The update resolves networking problems where mirrored networking in Windows Subsystem for Linux could fail with "No route to host" errors, preventing access to corporate resources over VPN connections even when the Windows host remained connected.

Microsoft fixed RemoteApp connection failures occurring in Azure Virtual Desktop environments.

KB5073455 (Windows 11 23H2)

Build: 22631.6491

Contains identical security fixes and modem driver removals as KB5074109.

Known Issues

Microsoft acknowledges a continuing bug from August 2025 where the password icon is not visible on the lock screen sign-in options, though the password button remains functional when hovering over the placeholder space.

Windows 10 Updates: KB5073724

For organizations still running Windows 10 under Extended Security Updates programs:

• Build 19045.6575 (Windows 10 22H2)
• Build 19044.6575 (Windows 10 21H2)

The update includes security fixes and modem driver removals identical to Windows 11 updates. Microsoft reports no known issues in this update.

Additional Vendor Updates

Adobe Security Updates

Adobe released 11 bulletins addressing 25 CVEs across multiple products:

• Adobe Dreamweaver (5 Critical RCE vulnerabilities)
• Adobe InDesign (4 Critical vulnerabilities)
• Adobe Illustrator
• Adobe InCopy
• Adobe Bridge
• Substance 3D suite (Modeler, Stager, Painter, Sampler, Designer)
• ColdFusion (1 Priority 1 code execution bug)

Other Vendors

Cisco released security updates for an Identity Services Engine vulnerability with publicly available proof-of-concept exploit code.

Deployment Recommendations

Immediate Actions (Priority 1)

1. Deploy CVE-2026-20805 fixes immediately for all Windows systems, particularly internet-facing servers and endpoints with elevated user privileges
2. Test patches in staging environments due to potential regressions from driver removals
3. Prioritize deployment for:
   • WSUS servers
   • SMB file servers
   • Domain controllers
   • Azure Virtual Desktop hosts
   • Systems running Windows Subsystem for Linux

Short-Term Actions (Within 48-72 Hours)

4. Update Office applications to address Preview Pane exploit vectors
5. Enable automatic updates for consumer devices
6. Monitor CISA Known Exploited Vulnerabilities catalog for any rapid additions

Testing Considerations

• Test in staging environments due to potential regressions in drivers like Cloud Files Mini Filter
• Verify WSL networking functionality for developers and users accessing corporate VPN resources
• Test Azure Virtual Desktop RemoteApp connections
• Validate modem functionality if your organization relies on legacy modem hardware

Long-Term Planning

Organizations should prepare for the Secure Boot certificate expiration in mid-2026 by ensuring systems receive and install these updates promptly. Failure to update certificates could result in boot failures starting in June 2026.

Vulnerability Breakdown by Category

Detection and Response

Indicators to Monitor

• Unexpected SYSTEM process spawns from user-level processes
• DWM/dwmcore crashes with memory corruption signatures
• Anomalous ALPC port activity
• Failed boot attempts on systems with Secure Boot enabled

Detection Tools

Cisco Talos has released Snort rules to detect exploitation attempts, including Snort 2 rules 65498, 65499, 65663-65676, and Snort 3 rules 301344, 301368-301374.

Conclusion

The January 2026 Patch Tuesday introduces critical fixes that require prompt attention, particularly the actively exploited Desktop Window Manager vulnerability. Organizations should expedite testing and deployment of these updates while maintaining vigilance for signs of exploitation.

The removal of legacy modem drivers and upcoming Secure Boot certificate expiration highlight Microsoft's ongoing efforts to modernize the Windows platform and deprecate outdated components that pose security risks.

Security teams should treat this Patch Tuesday with high urgency, implementing a rapid deployment strategy for the actively exploited zero-day while following standard change management procedures for remaining updates.

Quick Reference

Release Date: January 13, 2026
Total CVEs: 114
Critical CVEs: 8
Actively Exploited: CVE-2026-20805
Windows 11 KB Numbers: KB5074109, KB5073455
Windows 10 KB Number: KB5073724

Resources:

• Microsoft Security Update Guide: msrc.microsoft.com
• Microsoft Update Catalog: catalog.update.microsoft.com
• CISA Known Exploited Vulnerabilities: cisa.gov/known-exploited-vulnerabilities

Next Patch Tuesday: February 11, 2026