MR - stock.adobe.com
Microsoft patches 112 CVEs on first Patch Tuesday of 2026
January brings a larger-than-of-late Patch Tuesday update out of Redmond, but an uptick in disclosures is often expected at this time of year.
Microsoft has pushed fixes for 112 common vulnerabilities and exposures (CVEs) on the first Patch Tuesday of 2026, among them a number of zero-day flaws that were either publicly disclosed or actively exploited prior to patching, and no fewer than eight critical bugs.
Although this is a sharp increase in comparison to recent Patch Tuesdays – December 2025 saw Microsoft patch just 56 flaws – it is important to note that the festive season is frequently a quieter time for patches, sometimes by design, and January often brings an uptick in disclosures. Nevertheless, observed Jack Bicer, director of vulnerability research at patch management firm Action1, the volume of fixes in the latest update underscores “growing pressure” on security teams.
“This comes against a broader trend: in 2025, reported vulnerabilities increased by 12% over 2024, continuing the upward trajectory of disclosed security flaws,” said Bicer.
Paramount among these flaws is CVE-2026-20805, an information disclosure vulnerability in Desktop Window Manager, discovered by Microsoft’s own Threat Intelligence and Security Response Centers.
Although it bears a relatively low Common Vulnerability Scoring System (CVSS) score of just 5.5, active exploitation of CVE-2026-20805 has been observed in the wild, Microsoft said
“The flaw leaks a memory address from a remote ALPC [Asynchronous Local Procedure Call] port. This type of information disclosure vulnerability is often used to defeat Address Space Layout Randomisation (ASLR) – a security feature in modern operating systems designed to protect against buffer overflows and other exploits that rely on manipulating the memory of a running application,” explained Immersive senior director of cyber threat research, Kev Breen.
“Once they know where code resides in memory, they can chain this with a separate code execution bug to turn a difficult exploit into a reliable one,” he said. “Microsoft doesn't provide any information on what other components that chain could involve – making it harder for defenders to threat hunt for potential exploitation attempts, meaning patching quickly is the only mitigation for now.”
Ivanti vice president of security product management, Chris Goettl, agreed with this assessment. “The vulnerability affects all currently supported and extended security update supported versions of the Windows OS,” he said, “[so] a risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.”
Next up is a security feature bypass (SFB) flaw in Secure Boot Certificate Expiration, tracked as CVE-2026-21265. It, too, carries a comparatively low CVSS score and Microsoft only rates it as Important. However, said Goettl, it has been publicly disclosed and security teams would be wise to look into it.
“The fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration in addition to the update,” he said.
“It is recommended to start investigating what actions your organisation may need to take to prevent potential serviceability and security as certificates expire.”
The remaining items on the zero-day list – again both publicly disclosed but not known to be exploited, date back three and four years respectively. Both are elevation of privilege (EoP) flaws affecting soft modem drivers that ship natively with supported Windows operating systems.
The older of the two, CVE-2023-31096, is to be found in Agere Soft Modem Driver, and the more recent one, CVE-2024-55414 in Windows Motorola Soft Modem Driver. Microsoft’s solution is to remove the affected drivers, agrsm64.sys and arsm.sys in the first instances and smserl64.sys and smserial.sys in the second, as part of the January cumulative update.
This means soft modem hardware that depends on them will now cease to work on Windows. Microsoft said admins should act quickly to remove any existing dependencies on the affected hardware.
Critical flaws
The critically-rated flaws in the January 2026 Patch Tuesday drop comprise six remote code execution (RCE) issues and two EoP issues.
The RCE flaws affect Microsoft Excel, Microsoft Office and Windows Local Security Authority Subsystem Service (LSASS). They have been assigned designations CVE-2026-20854, CVE-2026-20944, CVE-2026-20952, CVE-2026-20953, CVE-2026-20955 and CVE-2026-20957.
The EoP flaws are CVE-2026-20822, which impacts the Windows Graphics Component, and CVE-2026-20876, which impacts Windows Virtualization-Based Security (VBS) Enclave.
Mike Walters, president and co-founder at Action1, said the VBS flaw was worth particular attention because “it breaks the security boundary designed to protect Windows itself, allowing attackers to climb into the one of the most trusted execution layers of the system”.
Walters warned of a serious risk to organisations that lean on VBS in order to protect credentials and other secrets, or sensitive workloads, because if exploited successfully, an attacker might be able to bypass security controls, achieve persistence, evade detection, and hit systems that security teams believe to be strongly isolated.
“Although exploitation requires high privileges, the impact is severe because it compromises virtualisation-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries,” he said.
“If the patch cannot be applied immediately, restrict administrative access, enforce strong privilege management, and monitor for abnormal activity involving VBS or enclave-related processes.”
Read more about Patch Tuesday
- December 2025: The final Patch Tuesday update of the year brings 56 new CVEs, bringing the year-end total to more than 1,100.
- November 2025: An elevation of privilege vulnerability in Windows Kernel tops the list of issues to address in the latest monthly Patch Tuesday update.
- October 2025: Windows 10 is no longer supported, but that does not mean it is not impacted by the latest Patch Tuesday update.
- September 2025: Nearly half the CVEs Microsoft disclosed in its September security update, including one publicly known bug, enable escalation of privileges (Dark Reading).
- August 2025: Microsoft rolls out fixes for over 100 CVEs in its August Patch Tuesday update.
- July 2025: Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is mercifully light on zero-days.
- June 2025: Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
- May 2025: Microsoft fixes five exploited, and two publicly disclosed, zero-days in the fifth Patch Tuesday update of 2025.
- April 2025: Microsoft is correcting 124 vulnerabilities in its April Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’.
- March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days.
- February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’.
- January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws.
