Microsoft has officially released its first security update of 2026, and it’s a significant one. The company’s January 2026 Patch Tuesday release addressed 114 security vulnerabilities, including 112 newly patched CVEs and 2 updated advisories.
The update comprises eight Critical vulnerabilities, several significant flaws, two publicly disclosed vulnerabilities, and one actively exploited zero-day CVE-2026-20805, which requires organizations to focus on patching this month.
Actively Exploited Zero-Day CVE-2026-20805 and Publicly Disclosed Vulnerabilities
The most critical issue is CVE-2026-20805, an Important information disclosure vulnerability in Windows Desktop Window Manager with a CVSS score of 5.5 that an unauthorized attacker can exploit to gain access to sensitive information, which is disclosed locally. It could be disclosed and allows an attacker to leak a section from a remote ALPC port that is user-mode memory.
The company has confirmed, saying, “The vulnerability has exploited in the wild.” The zero-day affects different Windows versions, including Windows 10, Windows 11, and Windows Server, and requires no user interaction.
In this release, two publicly disclosed zero-day vulnerabilities were also addressed. CVE-2023-31096, an elevation of privilege flaw in Windows Agre Soft Modem drivers (CVSS 7.8), that allows attackers to escalate privileges to the SYSTEM level.
Microsoft has patched this by removing the affected drivers. Another vulnerability, CVE-2026-21265, impacts Windows Secure Boot and has a CVSS score of 6.4. If an attacker exploits this vulnerability, it could bypass Secure Boot, a security feature, through flaws in certificate update mechanisms via local access to the system. However, CVE-2026-21265 hasn’t been exploited in the wild as of now.
Critical Remote Code Execution Vulnerabilities in Microsoft Office
Two critical RCE vulnerabilities were found in Microsoft Office. Mainly, CVE-2026-20952 and CVE-2026-20953 (CVSS 8.4). Exploitation occurs through malicious emails or links to the target user, and the preview pane acts as an attack vector for these two vulnerabilities, allowing code execution with no user interaction.
Furthermore, three Critical flaws in Microsoft Office products, including Word and Excel. CVE-2026-20944 is a remote code execution vulnerability in Microsoft Word with a CVSS score of 8.4. Alongside CVE-2026-20955 and CVE-2026-2057, critical remote code execution vulnerabilities in Microsoft Excel, with a CVSS score of 7.8.
Microsoft on the Windows side has also patched Critical vulnerabilities in Windows Graphics, LSASS, and Virtualization-Based Security (VBS) Enclave, some of which may enable attackers to obtain SYSTEM-level privileges or bypass highly guarded security layers.
Microsoft makes the point that patching is necessary; however, organizations need to start implementing a security-first approach, as not all vulnerabilities can be resolved immediately.
To stay tuned with more such daily tech updates, take a look at our news section now!
Recommended For You:
Google Chrome Zero Day Vulnerability: All You Need to Know About
