Microsoft has kicked off 2026 with a significant security update, releasing patches for 114 vulnerabilities in its January Patch Tuesday. This release includes one actively exploited zero-day flaw and two other publicly disclosed zero-days, alongside numerous critical and important security issues across Windows and its associated products.

Key Takeaways

• 114 Vulnerabilities Addressed: The January update tackles a substantial number of security flaws.

• Actively Exploited Zero-Day: CVE-2026-20805, an information disclosure vulnerability in the Desktop Window Manager, was being exploited in the wild.

• Three Zero-Days: In addition to the exploited flaw, two other zero-days were patched.

• Critical Flaws: Eight vulnerabilities are rated Critical, including six remote code execution flaws.

• Secure Boot Certificates: Patches address expiring Secure Boot certificates, crucial for system integrity.

• Legacy Driver Removal: Vulnerable Agere Soft Modem drivers have been removed from Windows.

Actively Exploited Zero-Day in Desktop Window Manager

The most pressing issue addressed is CVE-2026-20805, an information disclosure vulnerability affecting the Desktop Window Manager (DWM). Microsoft confirmed this flaw was actively exploited before a patch was available. While it doesn't allow direct code execution, successful exploitation can lead to the disclosure of sensitive memory information. This data could be used to bypass security measures like Address Space Layout Randomization (ASLR), making subsequent attacks easier.

Other Zero-Days and Critical Vulnerabilities

Two other zero-day vulnerabilities were also patched. CVE-2026-21265 relates to expiring Windows Secure Boot certificates, which could allow attackers to bypass boot security if not updated. The third zero-day, CVE-2023-31096, involved a legacy Agere Soft Modem driver that has now been removed from Windows. The update also includes eight critical vulnerabilities, six of which are remote code execution (RCE) flaws, posing a significant risk to systems.

Secure Boot Certificate Expiration

Microsoft is also addressing a looming issue with Secure Boot certificates issued in 2011, many of which are set to expire in mid-2026. These certificates are vital for ensuring that only trusted software loads during the boot process. The January patches renew these certificates to prevent potential security bypasses and ensure continued system integrity. Failure to update could leave systems unable to boot securely or receive future updates.

Removal of Legacy Drivers

As part of this update, Microsoft has removed vulnerable Agere Soft Modem drivers (agrsm64.sys and agrsm.sys). These drivers were previously identified as being exploited for privilege escalation. Their removal is part of Microsoft's ongoing effort to reduce the attack surface by eliminating outdated and insecure legacy components.

Vulnerability Breakdown

The 114 vulnerabilities patched cover a wide range of issues, including:

• 57 Elevation of Privilege vulnerabilities

• 22 Remote Code Execution vulnerabilities

• 22 Information Disclosure vulnerabilities

• 5 Spoofing vulnerabilities

• 3 Security Feature Bypass vulnerabilities

• 3 Tampering vulnerabilities

• 2 Denial of Service vulnerabilities

Microsoft urges users and organizations to apply these updates promptly, especially given the confirmed exploitation of CVE-2026-20805. Prioritizing patches for critical components like the Desktop Window Manager and Secure Boot is essential for maintaining a strong security posture.

Sources

• Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited, The Hacker News.

• Microsoft Patch Tuesday security updates for January 2026 fixed actively exploited zero-day, Security Affairs.

• Microsoft Patch Tuesday January 2026 Fixes 114 Vulnerabilities, Including 3 Zero-Days, Cyber Press.

• Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws, BleepingComputer.

• Microsoft January 2026 Patch Tuesday Fixes 100+ Vulnerabilities, Including 3 Zero-Day Flaws, LinkedIn.