Microsoft on Tuesday rolled out its first security replace for 2026, addressing 114 security flaws, together with one vulnerability that it mentioned has been actively exploited within the wild.
Of the 114 flaws, eight are rated Important, and 106 are rated Necessary in severity. As many as 58 vulnerabilities have been categorised as privilege escalation, adopted by 22 data disclosure, 21 distant code execution, and 5 spoofing flaws. In accordance with information collected by Fortra, the replace marks the third-largest January Patch Tuesday after January 2025 and January 2022.
These patches are along with two security flaws that Microsoft has addressed in its Edge browser for the reason that launch of the December 2025 Patch Tuesday replace, together with a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of inadequate coverage enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS rating: 8.8).
The vulnerability that has come below in-the-wild exploitation is CVE-2026-20805 (CVSS rating: 5.5), an data disclosure flaw impacting Desktop Window Supervisor. The Microsoft Risk Intelligence Heart (MTIC) and Microsoft Safety Response Heart (MSRC) have been credited with figuring out and reporting the flaw.
“Publicity of delicate data to an unauthorized actor in Desktop Home windows Supervisor (DWM) permits a certified attacker to reveal data domestically,” Microsoft mentioned in an advisory. “The kind of data that might be disclosed if an attacker efficiently exploited this vulnerability is a piece deal with from a distant ALPC port, which is user-mode reminiscence.”
There are at the moment no particulars on how the vulnerability is being exploited, the dimensions of such efforts, and who could also be behind the exercise.
“DWM is answerable for drawing every part on the show of a Home windows system, which implies it presents an attractive mixture of privileged entry and common availability, since nearly any course of would possibly have to show one thing,” Adam Barnett, lead software program engineer at Rapid7, mentioned in a press release. “On this case, exploitation results in improper disclosure of an ALPC port part deal with, which is a piece of user-mode reminiscence the place Home windows parts coordinate varied actions between themselves.”
Microsoft beforehand addressed an actively exploited zero-day flaw in DWM in Might 2024 (CVE-2024-30051, CVSS rating: 7.8), which was described as a privilege escalation flaw that was abused by a number of menace actors, in reference to the distribution of QakBot and different malware households. Satnam Narang, senior employees analysis engineer at Tenable, known as DWM a “frequent flyer” on Patch Tuesday, with 20 CVEs patched within the library since 2022.
Jack Bicer, director of vulnerability analysis at Action1, mentioned the vulnerability will be exploited by a domestically authenticated attacker to reveal data, defeat deal with area format randomization (ASLR), and different defenses.
“Vulnerabilities of this nature are generally used to undermine Deal with House Format Randomization (ASLR), a core working system security management designed to guard in opposition to buffer overflows and different memory-manipulation exploits,” Kev Breen, senior director of cyber menace analysis at Immersive, informed The Hacker Information.
“By revealing the place code resides in reminiscence, this vulnerability will be chained with a separate code execution flaw, remodeling a fancy and unreliable exploit right into a sensible and repeatable assault.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Identified Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Government Department (FCEB) businesses to use the most recent fixes by February 3, 2026.
One other vulnerability of be aware issues a security function bypass impacting Safe Boot Certificates Expiration (CVE-2026-21265, CVSS rating: 6.4) that would enable an attacker to undermine an important security mechanism that ensures that firmware modules come from a trusted supply and forestall malware from being run throughout the boot course of.
In November 2025, Microsoft introduced that it will likely be expiring three Home windows Safe Boot certificates issued in 2011, efficient June 2026, urging clients to replace to their 2023 counterparts –
- Microsoft Company KEK CA 2011 (June 2026) – Microsoft Company KEK 2K CA 2023 (for signing updates to DB and DBX)
- Microsoft Home windows Manufacturing PCA 2011 (October 2026) – Home windows UEFI CA 2023 (for signing the Home windows boot loader)
- Microsoft UEFI CA 2011 (June 2026) – Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Choice ROM UEFI CA 2023 (for signing third-party choice ROMs)
“Safe Boot certificates utilized by most Home windows units are set to run out beginning in June 2026. This would possibly have an effect on the flexibility of sure private and enterprise units as well securely if not up to date in time,” Microsoft mentioned. “To keep away from disruption, we suggest reviewing the steerage and taking motion to replace certificates upfront.”
The Home windows maker additionally identified that the most recent replace removes Agere Comfortable Modem drivers “agrsm64.sys” and “agrsm.sys” that had been shipped natively with the working system. The third-party drivers are inclined to a two-year-old native privilege escalation flaw (CVE-2023-31096, CVSS rating: 7.8) that would enable an attacker to realize SYSTEM permissions.
In October 2025, Microsoft took steps to take away one other Agere Modem driver known as “ltmdm64.sys” following in-the-wild exploitation of a privilege escalation vulnerability (CVE-2025-24990, CVSS rating: 7.8) that would allow an attacker to realize administrative privileges.
Additionally excessive on the precedence record must be CVE-2026-20876 (CVSS rating: 6.7), a critical-rated privilege escalation flaw in Home windows Virtualization-Primarily based Safety (VBS) Enclave, enabling an attacker to acquire Digital Belief Degree 2 (VTL2) privileges, and leverage it to subvert security controls, set up deep persistence, and evade detection.
“It breaks the security boundary designed to guard Home windows itself, permitting attackers to climb into one of the crucial trusted execution layers of the system,” Mike Walters, president and co-founder of Action1, mentioned.
“Though exploitation requires excessive privileges, the affect is extreme as a result of it compromises virtualization-based security itself. Attackers who have already got a foothold may use this flaw to defeat superior defenses, making immediate patching important to keep up belief in Home windows security boundaries.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors for the reason that begin of the month to rectify a number of vulnerabilities, together with —
- ABB
- Adobe
- Amazon Net Companies
- AMD
- Arm
- ASUS
- Broadcom (together with VMware)
- Cisco
- ConnectWise
- Dassault Systèmes
- D-Hyperlink
- Dell
- Devolutions
- Drupal
- Elastic
- F5
- Fortinet
- Fortra
- Foxit Software program
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hikvision
- HP
- HP Enterprise (together with Aruba Networking and Juniper Networks)
- IBM
- Creativeness Applied sciences
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Pink Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- Mitsubishi Electrical
- MongoDB
- Moxa
- Mozilla Firefox and Firefox ESR
- n8n
- NETGEAR
- Node.js
- NVIDIA
- ownCloud
- QNAP
- Qualcomm
- Ricoh
- Samsung
- SAP
- Schneider Electrical
- ServiceNow
- Siemens
- SolarWinds
- SonicWall
- Sophos
- Spring Framework
- Synology
- TP-Hyperlink
- Development Micro, and
- Veeam
