Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed - Hackread

Microsoft Security Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today. by Deeba Ahmed January 14, 2026 2 minute read Discover more web browsing Security Hacker Training Privacy-focused smartphones Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important. For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser. Zero-Day Threats and Active Risks One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include: CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory. Patches details (Source: Qualys) Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026. CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full SYSTEM control. Microsoft fixed this by removing the old drivers entirely. CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software. Critical Fixes for Office and Windows The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location. Discover more Identity theft protection Cybersecurity training courses Cybersecurity Consulting It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the Preview Pane. Insights from Security Researchers In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control. The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system. It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts 0day Cybersecurity Microsoft Patch Tuesday Vulnerability Related Posts Security Malware Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East Stealth Falcon APT group is notorious for its cyber-espionage campaigns in the Middle East. by Waqas Security Coupang CEO Steps Down After Data Breach Hits 33.7 Million Users South Korean e-commerce giant Coupang faces intense scrutiny after CEO Park Dae-jun resigns over a data breach that exposed 33.7 million customer accounts. Read about the police raids, US lawsuit, and regulatory orders from PIPC. by Deeba Ahmed Malware Microsoft Security 9-year-old Windows flaw abused to drop ZLoader malware in 111 countries The vulnerability was identified and fixed in 2013 but in 2014 Microsoft revised the fix. by Waqas Security 7 Tips to Increase Your WordPress Security Do you have a Wordpress website? Here are some quick and easy tips to increase your Wordpress security and keep your site safe. by Uzair Amir