Microsoft Patch Tuesday, January 2026 Security Update Review
Starting the year on a security-first note, Microsoft’s January 2026 Patch Tuesday resolves several vulnerabilities that could impact enterprise environments. Here’s a quick breakdown of what you need to know.
This month’s release addresses 115 vulnerabilities, including eight critical and 106 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed three zero-day vulnerabilities. One of them was exploited, and two are publicly disclosed.
Microsoft addressed one vulnerability in Microsoft Edge (Chromium-based) that was patched earlier this month.
Microsoft Patch Tuesday, January edition, includes updates for vulnerabilities in Windows Ancillary Function Driver for WinSock, Windows Client-Side Caching (CSC) Service, Windows NTFS, Windows NTLM, Windows Remote Assistance, Windows Remote Procedure Call, Windows Server Update Service, Windows Cloud Files Mini Filter Driver, Windows Management Services, and more.
From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture.
The January 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 5 | Important: 5 |
| Denial of Service Vulnerability | 2 | Important: 2 |
| Elevation of Privilege Vulnerability | 57 | Critical: 2 Important: 55 |
| Information Disclosure Vulnerability | 22 | Important: 22 |
| Remote Code Execution Vulnerability | 22 | Critical: 6 Important: 16 |
| Security Feature Bypass Vulnerability | 3 | Important: 3 |
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability
An unauthenticated attacker may exploit the vulnerability to disclose information locally. Upon successful exploitation, an attacker can expose a section address from a remote ALPC port, which is user-mode memory.
MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability
Microsoft mentioned in the advisory that “the vulnerabilities in the third-party Agere Soft Modem drivers that ship natively with supported Windows operating systems.” Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. Microsoft fixes this vulnerability by removing agrsm64.sys and agrsm.sys drivers.
CVE-2026-21265: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Upon successful exploitation of the vulnerability, an attacker could bypass Secure Boot.
Microsoft has informed that Windows Secure Boot certificates issued in 2011 are nearing expiration, and systems that are not updated will have an increased risk of threat actors bypassing Secure Boot.
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2026-20822: Windows Graphics Component Elevation of Privilege Vulnerability
A use-after-free flaw in the Microsoft Graphics Component may allow an authenticated attacker to elevate privileges locally. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
A heap-based buffer overflow flaw in Windows Virtualization-Based Security (VBS) Enclave could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain Virtual Trust Level 2 (VTL2) privileges.
CVE-2026-20944: Microsoft Word Remote Code Execution Vulnerability
An out-of-bounds read flaw in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution. An attacker must send the user a malicious file and convince them to open it for the vulnerability to be successfully exploited.
CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability
A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-20955: Microsoft Excel Remote Code Execution Vulnerability
Successful exploitation of the vulnerability may allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
The Local Security Authority Subsystem Service (LSASS) is a core Windows process that handles user authentication, enforces security policies, and manages sensitive credentials (like passwords, NTLM hashes) by generating access tokens for users.
A use-after-free in the Windows Local Security Authority Subsystem Service allows an authorized attacker to execute code over a network.
CVE-2026-20957: Microsoft Excel Remote Code Execution Vulnerability
An integer underflow flaw in Microsoft Office Excel allows an unauthenticated attacker to achieve remote code execution.
Other Microsoft Vulnerability Highlights
- CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges.
- CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution.
- CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Deployment Services, SQL Server, Windows Hello, Desktop Window Manager, Printer Association Object, Windows Kernel Memory, Windows Win32K – ICOMP, Windows LDAP – Lightweight Directory Access Protocol, Graphics Kernel, Capability Access Management Service (camsvc), Windows Installer, Windows Error Reporting, Windows Kernel, Windows Virtualization-Based Security (VBS) Enclave, Windows Common Log File System Driver, Microsoft Graphics Component, Windows File Explorer, Windows Hyper-V, Tablet Windows User Interface (TWINUI) Subsystem, Windows Internet Connection Sharing (ICS), Windows TPM, Windows Remote Procedure Call Interface Definition Language (IDL), Windows Kerberos, Windows Shell, Windows Media, Windows DWM, Windows Routing and Remote Access Service (RRAS), Windows Clipboard Server, Windows SMB Server, Windows WalletService, Windows Local Security Authority Subsystem Service (LSASS), Windows Kernel-Mode Drivers, Connected Devices Platform Service (Cdpsvc), Windows Local Session Manager (LSM), Windows HTTP.sys, Windows Telephony Service, Windows NDIS, Host Process for Windows Tasks, Microsoft Office, Microsoft Office Word, Microsoft Office Excel, Microsoft Office SharePoint, Dynamic Root of Trust for Measurement (DRTM), Windows Admin Center, Inbox COM Objects, Azure Connected Machine Agent, Azure Core shared client library for Python, Windows Secure Boot, Agere Windows Modem Driver, Windows Motorola Soft Modem Driver, and Microsoft Edge (Chromium-based).
Visit the January 2026 Security Updates to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110514, 110515, 386287, 386317, 386318, 92341, 92342, 92343, 92344, and 92347 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21265
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20822
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20876
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20944
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20952
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20953
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20955
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20854
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20957
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-31096
Comments are closed.