Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.

Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022.

These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS score: 8.8).

The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw.

“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally,” Microsoft said in an advisory. “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory.”

There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity.

“DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user-mode memory where Windows components coordinate various actions between themselves.”

Microsoft previously addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051, CVSS score: 7.8), which was described as a privilege escalation flaw that was abused by multiple threat actors, in connection with the distribution of QakBot and other malware families. Satnam Narang, senior staff research engineer at Tenable, called DWM a “frequent flyer” on Patch Tuesday, with 20 CVEs patched in the library since 2022.

Jack Bicer, director of vulnerability research at Action1, said the vulnerability can be exploited by a locally authenticated attacker to disclose information, defeat address space layout randomization (ASLR), and other defenses.

“Vulnerabilities of this nature are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits,” Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News.

“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026.

Another vulnerability of note concerns a security feature bypass impacting Secure Boot Certificate Expiration (CVE-2026-21265, CVSS score: 6.4) that could allow an attacker to undermine a crucial security mechanism that ensures that firmware modules come from a trusted source and prevent malware from being run during the boot process.

In November 2025, Microsoft announced that it will be expiring three Windows Secure Boot certificates issued in 2011, effective June 2026, urging customers to update to their 2023 counterparts –

• Microsoft Corporation KEK CA 2011 (June 2026) – Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX)
• Microsoft Windows Production PCA 2011 (October 2026) – Windows UEFI CA 2023 (for signing the Windows boot loader)
• Microsoft UEFI CA 2011 (June 2026) – Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs)

“Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time,” Microsoft said. “To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance.”

The Windows maker also pointed out that the latest update removes Agere Soft Modem drivers “agrsm64.sys” and “agrsm.sys” that were shipped natively with the operating system. The third-party drivers are susceptible to a two-year-old local privilege escalation flaw (CVE-2023-31096, CVSS score: 7.8) that could allow an attacker to gain SYSTEM permissions.

In October 2025, Microsoft took steps to remove another Agere Modem driver called “ltmdm64.sys” following in-the-wild exploitation of a privilege escalation vulnerability (CVE-2025-24990, CVSS score: 7.8) that could permit an attacker to gain administrative privileges.

Also high on the priority list should be CVE-2026-20876 (CVSS score: 6.7), a critical-rated privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave, enabling an attacker to obtain Virtual Trust Level 2 (VTL2) privileges, and leverage it to subvert security controls, establish deep persistence, and evade detection.

“It breaks the security boundary designed to protect Windows itself, allowing attackers to climb into one of the most trusted execution layers of the system,” Mike Walters, president and co-founder of Action1, said.

“Although exploitation requires high privileges, the impact is severe because it compromises virtualization-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

• ABB
• Adobe
• Amazon Web Services
• AMD
• Arm
• ASUS
• Broadcom (including VMware)
• Cisco
• ConnectWise
• Dassault Systèmes
• D-Link
• Dell
• Devolutions
• Drupal
• Elastic
• F5
• Fortinet
• Fortra
• Foxit Software
• FUJIFILM
• Gigabyte
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Grafana
• Hikvision
• HP
• HP Enterprise (including Aruba Networking and Juniper Networks)
• IBM
• Imagination Technologies
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitel
• Mitsubishi Electric
• MongoDB
• Moxa
• Mozilla Firefox and Firefox ESR
• n8n
• NETGEAR
• Node.js
• NVIDIA
• ownCloud
• QNAP
• Qualcomm
• Ricoh
• Samsung
• SAP
• Schneider Electric
• ServiceNow
• Siemens
• SolarWinds
• SonicWall
• Sophos
• Spring Framework
• Synology
• TP-Link
• Trend Micro, and
• Veeam