Microsoft patches 112 CVEs on first Patch Tuesday of 2026
January brings a larger-than-of-late Patch Tuesday update out of Redmond, but an uptick in disclosures is often expected at this time of year.
Microsoft has pushed fixes for 112 common vulnerabilities and exposures (CVEs) on the first Patch Tuesday of 2026, among them a number of zero-day flaws that were either publicly disclosed or actively exploited prior to patching, and no fewer than eight critical bugs.
Although this is a sharp increase in comparison to recent Patch Tuesdays – December 2025 saw Microsoft patch just 56 flaws – it is important to note that the festive season is frequently a quieter time for patches, sometimes by design, and January often brings an uptick in disclosures. Nevertheless, observed Jack Bicer, director of vulnerability research at patch management firm Action1, the volume of fixes in the latest update underscores “growing pressure” on security teams.
“This comes against a broader trend: in 2025, reported vulnerabilities increased by 12% over 2024, continuing the upward trajectory of disclosed security flaws,” said Bicer.
Paramount among these flaws is CVE-2026-20805, an information disclosure vulnerability in Desktop Window Manager, discovered by Microsoft’s own Threat Intelligence and Security Response Centers.
Although it bears a relatively low Common Vulnerability Scoring System (CVSS) score of just 5.5, active exploitation of CVE-2026-20805 has been observed in the wild, Microsoft said
“The flaw leaks a memory address from a remote ALPC [Asynchronous Local Procedure Call] port. This type of information disclosure vulnerability is often used to defeat Address Space Layout Randomisation (ASLR) – a security feature in modern operating systems designed to protect against buffer overflows and other exploits that rely on manipulating the memory of a running application,” explained Immersive senior director of cyber threat research, Kev Breen.
“Once they know where code resides in memory, they can chain this with a separate code execution bug to turn a difficult exploit into a reliable one,” he said. “Microsoft doesn’t provide any information on what other components that chain could involve – making it harder for defenders to threat hunt for potential exploitation attempts, meaning patching quickly is the only mitigation for now.”
Ivanti vice president of security product management, Chris Goettl, agreed with this assessment. “The vulnerability affects all currently supported and extended security update supported versions of the Windows OS,” he said, “[so] a risk-based prioritisation methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.”
Next up is a security feature bypass (SFB) flaw in Secure Boot Certificate Expiration, tracked as CVE-2026-21265. It, too, carries a comparatively low CVSS score and Microsoft only rates it as Important. However, said Goettl, it has been publicly disclosed and security teams would be wise to look into it.
“The fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration in addition to the update,” he said.
“It is recommended to start investigating what actions your organisation may need to take to prevent potential serviceability and security as certificates expire.”
The remaining items on the zero-day list – again both publicly disclosed but not known to be exploited, date back three and four years respectively. Both are elevation of privilege (EoP) flaws affecting soft modem drivers that ship natively with supported Windows operating systems.
The older of the two, CVE-2023-31096, is to be found in Agere Soft Modem Driver, and the more recent one, CVE-2024-55414 in Windows Motorola Soft Modem Driver. Microsoft’s solution is to remove the affected drivers, agrsm64.sys and arsm.sys in the first instances and smserl64.sys and smserial.sys in the second, as part of the January cumulative update.
This means soft modem hardware that depends on them will now cease to work on Windows. Microsoft said admins should act quickly to remove any existing dependencies on the affected hardware.
Critical flaws
The critically-rated flaws in the January 2026 Patch Tuesday drop comprise six remote code execution (RCE) issues and two EoP issues.
The RCE flaws affect Microsoft Excel, Microsoft Office and Windows Local Security Authority Subsystem Service (LSASS). They have been assigned designations CVE-2026-20854, CVE-2026-20944, CVE-2026-20952, CVE-2026-20953, CVE-2026-20955 and CVE-2026-20957.
The EoP flaws are CVE-2026-20822, which impacts the Windows Graphics Component, and CVE-2026-20876, which impacts Windows Virtualization-Based Security (VBS) Enclave.
Mike Walters, president and co-founder at Action1, said the VBS flaw was worth particular attention because “it breaks the security boundary designed to protect Windows itself, allowing attackers to climb into the one of the most trusted execution layers of the system”.
Walters warned of a serious risk to organisations that lean on VBS in order to protect credentials and other secrets, or sensitive workloads, because if exploited successfully, an attacker might be able to bypass security controls, achieve persistence, evade detection, and hit systems that security teams believe to be strongly isolated.
“Although exploitation requires high privileges, the impact is severe because it compromises virtualisation-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries,” he said.
“If the patch cannot be applied immediately, restrict administrative access, enforce strong privilege management, and monitor for abnormal activity involving VBS or enclave-related processes.”
