Microsoft January 2026 Patch Tuesday Fixes 100+ Vulnerabilities, Including 3 Zero-Day Flaws - LinkedIn

Microsoft on Tuesday released its January 2026 Patch Tuesday security updates, addressing a total of 114 vulnerabilities across Windows and related components, including one actively exploited zero-day flaw and two additional zero-days that had already been publicly disclosed. The updates underscore the continuing intensity of vulnerability discovery in the Windows ecosystem and reinforce long-standing guidance from security professionals urging rapid patch deployment, particularly in enterprise environments. According to Microsoft’s advisory, the January release includes 8 vulnerabilities rated “Critical,” a designation reserved for flaws that could allow widespread compromise without user interaction. Of these, 6 are remote code execution (RCE) vulnerabilities, while 2 enable elevation of privilege, potentially allowing attackers to gain full control of affected systems. Breakdown of Vulnerabilities The 114 flaws fixed this month span nearly every major category tracked by Microsoft and the broader security community: 2 Denial of Service vulnerabilities 3 Tampering vulnerabilities 3 Security Feature Bypass vulnerabilities 5 Spoofing vulnerabilities 22 Information Disclosure vulnerabilities 22 Remote Code Execution vulnerabilities 57 Elevation of Privilege vulnerabilities It is worth noting the continued dominance of elevation-of-privilege bugs and how attackers increasingly chain lower-severity vulnerabilities with phishing or malware to escalate access once inside a network, rather than relying solely on single, high-impact exploits. Three Zero-Days Addressed, One Actively Exploited in the Wild Microsoft confirmed that this month’s updates address three zero-day vulnerabilities, defined by the company as flaws that were either publicly disclosed or actively exploited before an official patch was available. Boost detection rate of evasive threats with proactive sandbox analysis. Automate triage for faster response Actively Exploited Zero-Day: Desktop Window Manager The most urgent fix addresses CVE-2026-20805, an information disclosure vulnerability in the Windows Desktop Window Manager (DWM) that Microsoft says has already been exploited in real-world attacks. Desktop Window Manager is a core Windows component responsible for rendering the graphical user interface. While the vulnerability does not allow direct code execution, Microsoft warns that successful exploitation can leak sensitive memory information that could be used to bypass protections such as Address Space Layout Randomization (ASLR), making follow-on attacks significantly easier. “Exposure of sensitive information to an unauthorized actor in Desktop Window Manager allows an authorized attacker to disclose information locally,” Microsoft said in its advisory. Specifically, the flaw allows an attacker to read memory addresses associated with a remote Advanced Local Procedure Call (ALPC) port, revealing user-mode memory locations. Security researchers note that information disclosure bugs of this nature are often used as building blocks in sophisticated exploit chains, particularly by advanced threat actors. Microsoft credited the discovery to its Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC), but did not disclose details about how the vulnerability was exploited, a common practice intended to limit copycat attacks. Secure Boot Certificate Expiration Raises Long-Term Risk One of the publicly disclosed zero-days, CVE-2026-21265, is less about a single exploit and more about a looming systemic risk tied to Windows Secure Boot certificates issued in 2011, many of which are nearing expiration later this year. Secure Boot is a foundational security feature designed to prevent malicious code from loading during the system startup process. Microsoft warned that systems not updated in time may become vulnerable to Secure Boot bypasses, potentially allowing attackers to load unsigned or malicious boot components. Microsoft identified three critical certificates approaching expiration: Recommended by LinkedIn From Decades-Old Vulnerabilities to New Zero-Days:… Loginsoft 7 months ago Cybersecurity News & Updates - June, 2025 Inspirisys Solutions Limited (a CAC Holdings Group Company) 8 months ago Global agencies issue alert on APT40 cyber threat SISA 1 year ago Microsoft Corporation KEK CA 2011 – Expires June 24, 2026 (Used to sign updates to Secure Boot databases) Microsoft Corporation UEFI CA 2011 – Expires June 27, 2026 (Used to sign third-party boot loaders and option ROMs) Microsoft Windows Production PCA 2011 – Expires October 19, 2026 (Used to sign the Windows Boot Manager) The January 2026 updates renew these certificates, preserving the Secure Boot trust chain and ensuring systems can continue to verify legitimate boot components. Microsoft had previously warned administrators about this issue in a June advisory titled “Windows Secure Boot certificate expiration and CA updates,” but this Patch Tuesday marks a major step in mitigating the risk at scale. Delayed patching could lead to serious boot-level compromise scenarios, particularly in enterprise and government environments where long-lived hardware is common. Legacy Modem Driver Vulnerability Finally Removed The third zero-day addressed this month, CVE-2023-31096, concerns a long-standing elevation-of-privilege vulnerability in the Agere Soft Modem drivers (agrsm64.sys and agrsm.sys), which ship with supported versions of Windows. Microsoft first warned about active exploitation of these third-party drivers in October Patch Tuesday, noting that attackers were using the flaw to obtain administrative privileges on compromised systems. At the time, Microsoft indicated that a future update would remove the vulnerable drivers entirely. That removal has now taken place. “This is an announcement of the removal of agrsm64.sys and agrsm.sys drivers,” Microsoft said. “The drivers have been removed in the January 2026 cumulative update.” The vulnerability was attributed to Zeze with TeamT5, a cybersecurity research team known for tracking advanced persistent threats in Asia. Security analysts view the removal as a significant step toward reducing Windows’ attack surface by eliminating outdated legacy components that no longer serve most users. Broader Implications and Patch Urgency January’s Patch Tuesday reinforces several ongoing trends in the threat landscape: Zero-days remain a persistent risk, even in mature platforms like Windows. Information disclosure vulnerabilities continue to play a critical role in advanced exploit chains. Legacy components and certificates represent long-term security liabilities if not proactively retired. Microsoft strongly recommends that users and organizations apply these updates as soon as possible, particularly given the confirmed exploitation of at least one vulnerability. For enterprises, security teams are advised to prioritize patches related to Desktop Window Manager and Secure Boot, while also reviewing systems for any dependency on removed legacy drivers. As attackers increasingly focus on stealth, persistence, and post-compromise escalation, Patch Tuesday updates like January 2026’s serve as a reminder that timely patching remains one of the most effective defenses against real-world cyber threats. Discover how Mastercard and Picus redefine modern security validation