Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited - The Hacker News

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited Ravie LakshmananJan 14, 2026Vulnerability / Threat Intelligence Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild. Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022. These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium's WebView tag (CVE-2026-0628, CVSS score: 8.8). The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw. "Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally," Microsoft said in an advisory. "The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory." There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity. "DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something," Adam Barnett, lead software engineer at Rapid7, said in a statement. "In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user-mode memory where Windows components coordinate various actions between themselves." Microsoft previously addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051, CVSS score: 7.8), which was described as a privilege escalation flaw that was abused by multiple threat actors, in connection with the distribution of QakBot and other malware families. Satnam Narang, senior staff research engineer at Tenable, called DWM a "frequent flyer" on Patch Tuesday, with 20 CVEs patched in the library since 2022. Jack Bicer, director of vulnerability research at Action1, said the vulnerability can be exploited by a locally authenticated attacker to disclose information, defeat address space layout randomization (ASLR), and other defenses. "Vulnerabilities of this nature are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits," Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News. "By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026. Another vulnerability of note concerns a security feature bypass impacting Secure Boot Certificate Expiration (CVE-2026-21265, CVSS score: 6.4) that could allow an attacker to undermine a crucial security mechanism that ensures that firmware modules come from a trusted source and prevent malware from being run during the boot process. In November 2025, Microsoft announced that it will be expiring three Windows Secure Boot certificates issued in 2011, effective June 2026, urging customers to update to their 2023 counterparts - Microsoft Corporation KEK CA 2011 (June 2026) - Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX) Microsoft Windows Production PCA 2011 (October 2026) - Windows UEFI CA 2023 (for signing the Windows boot loader) Microsoft UEFI CA 2011 (June 2026) - Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs) "Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time," Microsoft said. "To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance." The Windows maker also pointed out that the latest update removes Agere Soft Modem drivers "agrsm64.sys" and "agrsm.sys" that were shipped natively with the operating system. The third-party drivers are susceptible to a two-year-old local privilege escalation flaw (CVE-2023-31096, CVSS score: 7.8) that could allow an attacker to gain SYSTEM permissions. In October 2025, Microsoft took steps to remove another Agere Modem driver called "ltmdm64.sys" following in-the-wild exploitation of a privilege escalation vulnerability (CVE-2025-24990, CVSS score: 7.8) that could permit an attacker to gain administrative privileges. Also high on the priority list should be CVE-2026-20876 (CVSS score: 6.7), a critical-rated privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave, enabling an attacker to obtain Virtual Trust Level 2 (VTL2) privileges, and leverage it to subvert security controls, establish deep persistence, and evade detection. "It breaks the security boundary designed to protect Windows itself, allowing attackers to climb into one of the most trusted execution layers of the system," Mike Walters, president and co-founder of Action1, said. "Although exploitation requires high privileges, the impact is severe because it compromises virtualization-based security itself. Attackers who already have a foothold could use this flaw to defeat advanced defenses, making prompt patching essential to maintain trust in Windows security boundaries." Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including — ABB Adobe Amazon Web Services AMD Arm ASUS Broadcom (including VMware) Cisco ConnectWise Dassault Systèmes D-Link Dell Devolutions Drupal Elastic F5 Fortinet Fortra Foxit Software FUJIFILM Gigabyte GitLab Google Android and Pixel Google Chrome Google Cloud Grafana Hikvision HP HP Enterprise (including Aruba Networking and Juniper Networks) IBM Imagination Technologies Lenovo Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitel Mitsubishi Electric MongoDB Moxa Mozilla Firefox and Firefox ESR n8n NETGEAR Node.js NVIDIA ownCloud QNAP Qualcomm Ricoh Samsung SAP Schneider Electric ServiceNow Siemens SolarWinds SonicWall Sophos Spring Framework Synology TP-Link Trend Micro, and Veeam Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Microsoft, patch Tuesday, privilege escalation, remote code execution, Secure Boot, Threat Intelligence, Vulnerability Trending News OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps