January 2026 Patch Tuesday: Key Updates and Critical Fixes

Microsoft January 2026 Patch Tuesday security update vulnerabilities CVE-2026-20805 critical vulnerabilities Patch Tuesday analysis
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
January 16, 2026 3 min read
January 2026 Patch Tuesday: Key Updates and Critical Fixes

TL;DR

Microsoft's January 2026 Patch Tuesday addresses 114 security vulnerabilities, including one actively exploited flaw affecting the Desktop Window Manager and eight critical issues. This update also covers critical RCE vulnerabilities in Microsoft Office and important security feature bypasses, alongside upcoming Secure Boot certificate expirations that require attention. Prompt patching is essential to mitigate these risks.

Microsoft January 2026 Patch Tuesday Analysis

Microsoft has released its January 2026 security update, addressing a total of 114 security flaws. This includes one actively exploited vulnerability and eight rated as critical.

Vulnerability Statistics

  • Total CVEs Addressed: 114
  • Critical: 8
  • Important: 106
  • Actively Exploited: 1 (CVE-2026-20805)
  • Privilege Escalation: 58
  • Information Disclosure: 22
  • Remote Code Execution: 21
  • Spoofing: 5

Pie chart showing severity distribution

Image courtesy of Tenable

Actively Exploited Vulnerability: Desktop Window Manager Information Disclosure

CVE-2026-20805 is an information disclosure vulnerability in the Desktop Window Manager (DWM). It has a CVSS score of 5.5 and is actively being exploited in the wild.

Microsoft stated that the vulnerability allows a local, authenticated attacker to disclose a section address from a remote ALPC (Advanced Local Procedure Call) port, which is user-mode memory. Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting this flaw.

According to Adam Barnett, lead software engineer at Rapid7, DWM's role in drawing everything on a Windows display makes it a frequent target. He noted that exploitation leads to improper disclosure of an ALPC port section address. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by February 3, 2026.

Secure Boot Certificate Expiration

CVE-2026-21265 is a security feature bypass vulnerability affecting Secure Boot Certificate Expiration. It has a CVSS score of 6.4. The vulnerability could allow an attacker to undermine the security mechanism that ensures firmware modules come from a trusted source.

Microsoft announced that three Windows Secure Boot certificates issued in 2011 will expire in June 2026. Customers are urged to update to their 2023 counterparts to avoid disruption. The expiring certificates include:

  • Microsoft Corporation KEK CA 2011 (June 2026)
  • Microsoft Windows Production PCA 2011 (October 2026)
  • Microsoft UEFI CA 2011 (June 2026)

Microsoft Office Remote Code Execution Vulnerabilities

CVE-2026-20952 and CVE-2026-20953 are remote code execution (RCE) vulnerabilities affecting Microsoft Office. They have a CVSSv3 score of 8.4 and are rated as critical. An attacker could exploit these flaws by sending a malicious Microsoft Office document to a target. Successful exploitation would grant code execution privileges.

CVE-2026-20944 is another RCE vulnerability, this time affecting Microsoft Word. A remote threat actor can exploit an out-of-bounds read vulnerability to execute code locally by sending a malicious file and convincing a victim to open it.

The Absolute Security Blog notes that these vulnerabilities can be exploited via the Preview Pane in Outlook, requiring no user interaction beyond previewing the document.

Windows NTFS Remote Code Execution Vulnerabilities

CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both have CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Any authenticated attacker can exploit these flaws, regardless of privilege level.

Additional Vendor Updates

Alongside Microsoft, multiple vendors have released security updates:

Gopher Security Recommendations

Given the nature of these vulnerabilities, particularly the actively exploited CVE-2026-20805 and the Office RCEs, it is crucial to apply the relevant patches promptly. Organizations should prioritize patching Office applications and address the scope-changing Windows fixes to prevent privilege escalation.

Consider leveraging Gopher Security's AI-powered, post-quantum Zero-Trust cybersecurity architecture to enhance your defenses. Our platform converges networking and security, offering peer-to-peer encrypted tunnels and quantum-resistant cryptography across all environments to mitigate potential threats.

For more information on how Gopher Security can help protect your organization, please contact us.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot
Reprompt attack

Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot

Discover the 'Reprompt' attack: a single-click exploit targeting Microsoft Copilot. Learn how it works and how to protect your sensitive data. Read more now!

By Edward Zhou January 16, 2026 2 min read
common.read_full_article
Critical Azure Entra ID Vulnerability Allows Tenant-Wide Compromise
Windows Admin Center vulnerability

Critical Azure Entra ID Vulnerability Allows Tenant-Wide Compromise

Urgent: Two critical vulnerabilities in Windows Admin Center (CVE-2026-20965) and Azure Entra ID (CVE-2025-55241) could lead to tenant-wide compromise. Learn how to protect your systems now!

By Alan V Gutnov January 15, 2026 5 min read
common.read_full_article
Advanced Linux VoidLink Malware: Targeting Cloud and Container Environments
VoidLink malware

Advanced Linux VoidLink Malware: Targeting Cloud and Container Environments

Discover VoidLink, a sophisticated Linux malware framework targeting cloud environments. Learn its stealthy tactics, modular design, and how to protect your infrastructure. Read now!

By Edward Zhou January 14, 2026 6 min read
common.read_full_article
Critical Apache Struts XXE Injection Vulnerability CVE-2025-68493
Apache Struts XXE

Critical Apache Struts XXE Injection Vulnerability CVE-2025-68493

Critical Apache Struts XXE vulnerability (CVE-2025-68493) with CVSS 9.8! Discover its impact on AI/MLOps and learn mitigation strategies. Secure your systems now!

By Divyansh Ingle January 13, 2026 4 min read
common.read_full_article