Microsoft on Tuesday rolled out its first safety replace for 2026, addressing 114 safety flaws, together with one vulnerability that it mentioned has been actively exploited within the wild.
Of the 114 flaws, eight are rated Essential, and 106 are rated Essential in severity. As many as 58 vulnerabilities have been labeled as privilege escalation, adopted by 22 info disclosure, 21 distant code execution, and 5 spoofing flaws. In accordance with knowledge collected by Fortra, the replace marks the third-largest January Patch Tuesday after January 2025 and January 2022.
These patches are along with two safety flaws that Microsoft has addressed in its Edge browser for the reason that launch of the December 2025 Patch Tuesday replace, together with a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of inadequate coverage enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS rating: 8.8).
The vulnerability that has come beneath in-the-wild exploitation is CVE-2026-20805 (CVSS rating: 5.5), an info disclosure flaw impacting Desktop Window Supervisor. The Microsoft Menace Intelligence Middle (MTIC) and Microsoft Safety Response Middle (MSRC) have been credited with figuring out and reporting the flaw.
“Publicity of delicate info to an unauthorized actor in Desktop Home windows Supervisor (DWM) permits a certified attacker to reveal info domestically,” Microsoft mentioned in an advisory. “The kind of info that might be disclosed if an attacker efficiently exploited this vulnerability is a bit handle from a distant ALPC port, which is user-mode reminiscence.”
There are presently no particulars on how the vulnerability is being exploited, the size of such efforts, and who could also be behind the exercise.
“DWM is liable for drawing every part on the show of a Home windows system, which implies it presents an attractive mixture of privileged entry and common availability, since nearly any course of may must show one thing,” Adam Barnett, lead software program engineer at Rapid7, mentioned in a press release. “On this case, exploitation results in improper disclosure of an ALPC port part handle, which is a bit of user-mode reminiscence the place Home windows parts coordinate numerous actions between themselves.”
Microsoft beforehand addressed an actively exploited zero-day flaw in DWM in Could 2024 (CVE-2024-30051, CVSS rating: 7.8), which was described as a privilege escalation flaw that was abused by a number of risk actors, in reference to the distribution of QakBot and different malware households. Satnam Narang, senior workers analysis engineer at Tenable, referred to as DWM a “frequent flyer” on Patch Tuesday, with 20 CVEs patched within the library since 2022.
Jack Bicer, director of vulnerability analysis at Action1, mentioned the vulnerability could be exploited by a domestically authenticated attacker to reveal info, defeat handle area structure randomization (ASLR), and different defenses.
“Vulnerabilities of this nature are generally used to undermine Tackle House Structure Randomization (ASLR), a core working system safety management designed to guard in opposition to buffer overflows and different memory-manipulation exploits,” Kev Breen, senior director of cyber risk analysis at Immersive, instructed The Hacker Information.
“By revealing the place code resides in reminiscence, this vulnerability could be chained with a separate code execution flaw, remodeling a fancy and unreliable exploit right into a sensible and repeatable assault.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Government Department (FCEB) companies to use the newest fixes by February 3, 2026.
One other vulnerability of observe considerations a safety characteristic bypass impacting Safe Boot Certificates Expiration (CVE-2026-21265, CVSS rating: 6.4) that would enable an attacker to undermine a vital safety mechanism that ensures that firmware modules come from a trusted supply and forestall malware from being run in the course of the boot course of.
In November 2025, Microsoft introduced that it will likely be expiring three Home windows Safe Boot certificates issued in 2011, efficient June 2026, urging prospects to replace to their 2023 counterparts –
Microsoft Company KEK CA 2011 (June 2026) – Microsoft Company KEK 2K CA 2023 (for signing updates to DB and DBX)
Microsoft Home windows Manufacturing PCA 2011 (October 2026) – Home windows UEFI CA 2023 (for signing the Home windows boot loader)
Microsoft UEFI CA 2011 (June 2026) – Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Possibility ROM UEFI CA 2023 (for signing third-party possibility ROMs)
“Safe Boot certificates utilized by most Home windows units are set to run out beginning in June 2026. This may have an effect on the flexibility of sure private and enterprise units besides securely if not up to date in time,” Microsoft mentioned. “To keep away from disruption, we suggest reviewing the steering and taking motion to replace certificates prematurely.”
The Home windows maker additionally identified that the newest replace removes Agere Tender Modem drivers “agrsm64.sys” and “agrsm.sys” that had been shipped natively with the working system. The third-party drivers are vulnerable to a two-year-old native privilege escalation flaw (CVE-2023-31096, CVSS rating: 7.8) that would enable an attacker to realize SYSTEM permissions.
In October 2025, Microsoft took steps to take away one other Agere Modem driver referred to as “ltmdm64.sys” following in-the-wild exploitation of a privilege escalation vulnerability (CVE-2025-24990, CVSS rating: 7.8) that would allow an attacker to realize administrative privileges.
Additionally excessive on the precedence record ought to be CVE-2026-20876 (CVSS rating: 6.7), a critical-rated privilege escalation flaw in Home windows Virtualization-Primarily based Safety (VBS) Enclave, enabling an attacker to acquire Digital Belief Degree 2 (VTL2) privileges, and leverage it to subvert safety controls, set up deep persistence, and evade detection.
“It breaks the safety boundary designed to guard Home windows itself, permitting attackers to climb into one of the crucial trusted execution layers of the system,” Mike Walters, president and co-founder of Action1, mentioned.
“Though exploitation requires excessive privileges, the influence is extreme as a result of it compromises virtualization-based safety itself. Attackers who have already got a foothold might use this flaw to defeat superior defenses, making immediate patching important to keep up belief in Home windows safety boundaries.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors for the reason that begin of the month to rectify a number of vulnerabilities, together with —
ABB
Adobe
Amazon Internet Companies
AMD
Arm
ASUS
Broadcom (together with VMware)
Cisco
ConnectWise
Dassault Systèmes
D-Hyperlink
Dell
Devolutions
Drupal
Elastic
F5
Fortinet
Fortra
Foxit Software program
FUJIFILM
Gigabyte
GitLab
Google Android and Pixel
Google Chrome
Google Cloud
Grafana
Hikvision
HP
HP Enterprise (together with Aruba Networking and Juniper Networks)
IBM
Creativeness Applied sciences
Lenovo
Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Crimson Hat, Rocky Linux, SUSE, and Ubuntu
MediaTek
Mitel
Mitsubishi Electrical
MongoDB
Moxa
Mozilla Firefox and Firefox ESR
n8n
NETGEAR
Node.js
NVIDIA
ownCloud
QNAP
Qualcomm
Ricoh
Samsung
SAP
Schneider Electrical
ServiceNow
Siemens
SolarWinds
SonicWall
Sophos
Spring Framework
Synology
TP-Hyperlink
Pattern Micro, and
Veeam
