Microsoft's Patch Tuesday Starts 2026 With a Bang — & a Zero-Day - Dark Reading

APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS Microsoft Starts 2026 With a Bang: A Freshly Exploited Zero-Day The vendor's first Patch Tuesday of the year also contains fixes for 112 CVEs, nearly double the amount from last month. Jai Vijayan,Contributing Writer January 13, 2026 4 Min Read SOURCE: DATENSCHUTZ-STOCKFOTO VIA SHUTTERSTOCK Security teams expecting another modest Patch Tuesday after December are likely to be disappointed with Microsoft's January update, which tackles 112 common vulnerabilities and exposures (CVEs), or nearly double the amount addressed last month. Among them is a zero-day vulnerability in Desktop Window Manager (DWM) designated as CVE-2026-20805 (CVSS score: 5.5), which attackers are already exploiting to leak memory address information that could weaken system protections and enable follow-on attacks. Actively Exploited Zero-Day DWM controls how application windows appear on a user's screen and is a component that has had its share of vulnerabilities over the years, said Satnam Narang, senior staff research engineer at Tenable, in a prepared comment. The latest vulnerability — the first information disclosure zero-day bug in DWM — allows attackers to steal information that could help them escalate privileges, Narang said. Related:GlassWorm Malware Evolves to Hide in Dependencies Though Microsoft itself has assessed CVE-2026-20805 as being only of relatively moderate severity, the fact that attackers are already exploiting it only heightens the risk, added Jack Bicer, director of vulnerability research at Action1. "For organizations, this vulnerability increases the risk of successful multi-stage attacks," Bicer cautioned. "Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure, and loss of trust." More Likely to Be Exploited  Microsoft identified eight of the vulnerabilities in its January update as issues that attackers are more likely to exploit for a variety of reasons. Among them are two remote code execution (RCE) vulnerabilities in Windows NTFS — CVE-2026-20840 (CVSS score: 7.8) and CVE-2026-20922 (CVSS Score: 7.8). Both are buffer overflow vulnerabilities that an attacker with prior access to a system can exploit to execute arbitrary code on. Kev Breen, senior director of threat research at Immersive urged organizations to address the two vulnerabilities immediately, considering it was a third-party that identified and reported the issues to Microsoft. That makes it likely that technical details on the bugs could become publicly available soon, heightening the urgency for organizations to patch them, he said in emailed comments. "If detailed information is made public, this could quickly become an n-day vulnerability, creating a narrow window in which organizations can apply patches before exploitation becomes widespread," Breen said. Related:Real-Time Banking Trojan Strikes Brazil's Pix Users A Slew of Elevation of Privilege Bugs The remaining six vulnerabilities in this month's set that Microsoft thinks threat actors will likely abuse are all elevation-of-privilege (EoP) flaws that allow attackers who already have access to a system to escalate their access levels. The six flaws are CVE-2026-20816 in Windows Installer; CVE-2026-20817, another in Windows Error Reporting; CVE-2026-20820, in Windows Common Log File System Driver; CVE-2026-20843, affecting Windows Routing and Remote Access Service; CVE-2026-20860 in Windows Ancillary Function Driver for WinSock; and CVE-2026-20871 in Desktop Window Manager. Microsoft assigned each of these bugs an identical severity score of 7.8 out of 10 on the CVSS scale. As always, some of the flaws that Microsoft tagged as less likely to be exploited still need priority attention. CVE-2026-20876, an EoP bug in Windows Virtualization Based Security (VBS) Enclave, is one example. The flaw allows an attacker to break through the security barriers of Windows and gain access to the most trusted execution layers of the system, said Mike Walters, president and co-founder of Action1. "This vulnerability poses a serious risk for organizations relying on VBS to protect credentials, secrets, and sensitive workloads," Walters explained in prepared commentary. A successful exploit could allow an attacker to bypass security controls, establish deep persistence, and evade detection. The flaw gives them a way to "compromise systems that are assumed to be strongly isolated, increasing the blast radius of an intrusion." Related:Xygeni GitHub Action Compromised Via Tag Poison Critical but Lower Risk? CVE-2026-20952 (CVSS score: 8.4) and CVE-2026-20953 (CVSS score 8.4) are two flaws that Microsoft rated as critical, even though the company assessed the probability of attackers actually exploiting the bugs as low. Both flaws enable remote code execution, affect Microsoft Office, and enable an unauthorized user to executive arbitrary code locally. The vulnerabilities allow attackers to leverage a trusted Office document or even the Preview Pane to deliver malicious code. They allow an attacker to execute arbitrary code locally without requiring privileges and, in some scenarios, without any user interaction, Bicer said. "While both vulnerabilities were rated as less likely to be exploited, they are exploitable via Microsoft's Preview Pane, which means that attackers can achieve code execution without a user ever opening a file," Narang noted. "In the modern threat landscape, even a glance is a risk." In 2025, Microsoft issued patches for 1,275 unique CVEs across its product portfolio. It opened last year with a 157-patch update — which included fixes for as many as eight zero-days — and delivered a record breaking 163-patch monster in October 2025. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY 10 Bugs Found in Perplexity AI's Chatbot Android App by Nate Nelson, Contributing Writer APR 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE