Microsoft Patches Three Zero-Days in January 2026 Patch Tuesday

Microsoft has released its January 2026 Patch Tuesday updates, addressing a substantial 114 security flaws across its product ecosystem. This month's security update cycle includes fixes for three zero-day vulnerabilities—one of which is being actively exploited in the wild—and eight Critical-rated bugs that require immediate attention from system administrators.

The update portfolio includes 57 elevation of privilege vulnerabilities, 22 remote code execution flaws, 22 information disclosure issues, and several other categories of security defects. While this count excludes Microsoft Edge and Mariner vulnerabilities fixed earlier in the month, it represents one of the larger Patch Tuesday releases in recent memory.

Actively Exploited Zero-Day: Desktop Window Manager Memory Leak

The most urgent fix addresses CVE-2026-20805, an information disclosure vulnerability in the Desktop Window Manager (DWM) that Microsoft confirms is being actively exploited by threat actors. This flaw allows an authorized local attacker to read sensitive memory addresses from a remote ALPC (Asynchronous Local Procedure Call) port.

According to Microsoft's advisory, the vulnerability exposes "a section address from a remote ALPC port which is user-mode memory." While the company attributes the discovery to its Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) teams, they have not disclosed details about how the exploit is being used in attacks or who is behind them.

The DWM handles window composition and visual effects in Windows, making it a persistent background process on all modern systems. Attackers who successfully leverage this flaw could potentially gather memory layout information useful for crafting additional exploits or understanding system configurations.

Secure Boot Certificate Expiration: A Ticking Clock

CVE-2026-21265 addresses an impending security crisis: Secure Boot certificates issued in 2011 are nearing expiration, which would allow threat actors to bypass Secure Boot protections on unpatched systems. This security feature bypass vulnerability affects three critical certificates:

• Microsoft Corporation KEK CA 2011 (expires June 24, 2026) - Signs updates to the UEFI Key Exchange Keys
• Microsoft Corporation UEFI CA 2011 (expires June 27, 2026) - Signs third-party boot loaders and Option ROMs
• Microsoft Windows Production PCA 2011 (expires October 19, 2026) - Signs the Windows Boot Manager

Secure Boot is a UEFI security feature that verifies the digital signatures of boot loaders before executing them, preventing rootkits and other boot-level malware from loading during system startup. When these certificates expire, systems without updates would reject legitimate boot components while potentially allowing malicious ones that use expired but still-valid signatures.

Microsoft had previously disclosed this issue in a June 2025 advisory, giving administrators advance warning. The January patches renew these certificates to preserve the Secure Boot trust chain. Organizations managing Windows systems should verify that their deployment processes include these updates before the certificate expiration dates.

Legacy Modem Driver Finally Removed

The third zero-day, CVE-2023-31096, represents a different approach to vulnerability management: removal rather than patching. This elevation of privilege vulnerability in the Agere Soft Modem driver has been known since at least October 2025, when Microsoft warned that the vulnerable drivers were being exploited to gain administrative privileges.

Rather than patching the driver, Microsoft has now removed it entirely from Windows systems through the January 2026 cumulative update. The drivers agrsm64.sys and agrsm.sys have been purged, eliminating the attack vector. This approach makes sense for legacy hardware components that are no longer actively supported or widely used.

Microsoft attributes this vulnerability discovery to Zeze with TeamT5, a security research group that has previously identified other Windows driver vulnerabilities.

Critical-Rated Vulnerabilities Demand Immediate Action

Among the eight Critical-rated vulnerabilities patched this month, several stand out for their potential impact:

Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution (CVE-2026-20854): LSASS handles authentication and security policy enforcement, making any RCE vulnerability in this component particularly dangerous. Successful exploitation could allow remote code execution with system-level privileges.

Microsoft Office RCE Flaws: Multiple Critical-rated remote code execution vulnerabilities affect Microsoft Office components, including Excel (CVE-2026-20956, CVE-2026-20957) and general Office functionality (CVE-2026-20952, CVE-2026-20953). These typically exploit through malicious documents and remain a primary attack vector for targeted campaigns.

Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege (CVE-2026-20876): This Critical-rated flaw affects VBS enclaves, which are isolated memory regions designed to protect sensitive operations like credential guard and code integrity services.

Broader Security Ecosystem Updates

The January 2026 security landscape extends well beyond Microsoft's patches:

Adobe released updates for InDesign, Illustrator, InCopy, Bridge, and multiple Substance 3D products, addressing various security issues across their creative software suite.

Cisco patched a vulnerability in Identity Services Engine (ISE) with a publicly available proof-of-concept exploit, making immediate patching critical for organizations using Cisco's network access control solution.

Fortinet addressed multiple product vulnerabilities, including two remote code execution flaws.

D-Link confirmed active exploitation of a new vulnerability affecting end-of-life routers, highlighting the ongoing risks of using unsupported networking equipment.

Google released Android's January security bulletin, fixing a critical "DD+ Codec" vulnerability in Dolby components that could be exploited through media files.

JavaScript/Node.js Ecosystem: The jsPDF library fixed a critical vulnerability that could allow arbitrary file smuggling from servers during PDF generation. Meanwhile, the workflow automation platform n8n patched a maximum-severity vulnerability dubbed "Ni8mare" that enables server hijacking.

Enterprise Software: SAP addressed a 9.9/10 rated code injection flaw in Solution Manager, ServiceNow disclosed a critical privilege escalation vulnerability in its AI Platform, and Trend Micro patched a critical flaw in Apex Central that allows SYSTEM-level code execution.

Backup Solutions: Veeam released updates for Backup & Replication software, including a critical RCE vulnerability, reminding organizations that backup systems themselves require security hardening.

Practical Recommendations

Prioritize Zero-Day Patches: The actively exploited DWM vulnerability (CVE-2026-20805) should be treated as an emergency patch. While it requires local access, it may be chained with other vulnerabilities in attack campaigns.

Secure Boot Certificate Management: The certificate expiration issue (CVE-2026-21265) requires planning beyond just installing updates. Organizations should:

• Verify all systems receive January 2026 updates before certificate expiration dates
• Test boot processes on updated systems to ensure no compatibility issues
• Document which systems might be affected if updates cannot be applied

Legacy Driver Removal: The Agere modem driver removal should be transparent, but administrators should verify that any specialized applications relying on this legacy hardware still function correctly after the update.

Third-Party Coordination: With major vendors like Adobe, Cisco, and SAP releasing updates, organizations should coordinate patching across their entire software stack. The jsPDF and n8n vulnerabilities demonstrate that even development tools and automation platforms require security attention.

Certificate Expiration Planning: The Secure Boot certificate issue serves as a reminder to audit all certificate-based security systems in your environment. Set up monitoring for certificate expiration dates across PKI infrastructure, code signing certificates, and hardware security modules.

This Patch Tuesday underscores the complexity of modern security maintenance, where even foundational components like window managers and boot security require constant vigilance. The mix of actively exploited flaws, architectural security issues, and third-party vulnerabilities demands a comprehensive patch management strategy that extends beyond Microsoft's monthly updates.

For detailed information about each vulnerability, administrators can review Microsoft's complete security update guide at Microsoft Security Update Guide.