Starting the year on a security-first note, Microsoft’s January 2026 Patch Tuesday resolves several vulnerabilities that could impact enterprise environments. Here’s a quick breakdown of what you need to know.
Microsoft Patch Tuesday for January 2026
This month’s release addresses 115 vulnerabilities, including eight critical and 106 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed three zero-day vulnerabilities. One of them was exploited, and two are publicly disclosed.
Microsoft addressed one vulnerability in Microsoft Edge (Chromium-based) that was patched earlier this month.
Microsoft Patch Tuesday, January edition, includes updates for vulnerabilities in Windows Ancillary Function Driver for WinSock, Windows Client-Side Caching (CSC) Service, Windows NTFS, Windows NTLM, Windows Remote Assistance, Windows Remote Procedure Call, Windows Server Update Service, Windows Cloud Files Mini Filter Driver, Windows Management Services, and more.
From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture.
The January 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 5 | Important: 5 |
| Denial of Service Vulnerability | 2 | Important: 2 |
| Elevation of Privilege Vulnerability | 57 | Critical: 2 Important: 55 |
| Information Disclosure Vulnerability | 22 | Important: 24 |
| Remote Code Execution Vulnerability | 22 | Critical: 6 Important: 16 |
| Security Feature Bypass Vulnerability | 3 | Important: 3 |
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability
An unauthenticated attacker may exploit the vulnerability to disclose information locally. Upon successful exploitation, an attacker can expose a section address from a remote ALPC port, which is user-mode memory.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before February 3, 2026.
MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability
Microsoft mentioned in the advisory that “the vulnerabilities in the third-party Agere Soft Modem drivers that ship natively with supported Windows operating systems.” Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. Microsoft fixes this vulnerability by removing agrsm64.sys and agrsm.sys drivers.
CVE-2026-21265: Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Upon successful exploitation of the vulnerability, an attacker could bypass Secure Boot.
Microsoft has informed that Windows Secure Boot certificates issued in 2011 are nearing expiration, and systems that are not updated will have an increased risk of threat actors bypassing Secure Boot.
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2026-20822: Windows Graphics Component Elevation of Privilege Vulnerability
A use-after-free flaw in the Microsoft Graphics Component may allow an authenticated attacker to elevate privileges locally. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-20876: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
A heap-based buffer overflow flaw in Windows Virtualization-Based Security (VBS) Enclave could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain Virtual Trust Level 2 (VTL2) privileges.
CVE-2026-20944: Microsoft Word Remote Code Execution Vulnerability
An out-of-bounds read flaw in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution. An attacker must send the user a malicious file and convince them to open it for the vulnerability to be successfully exploited.
CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution Vulnerability
A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-20955: Microsoft Excel Remote Code Execution Vulnerability
Successful exploitation of the vulnerability may allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-20854: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
The Local Security Authority Subsystem Service (LSASS) is a core Windows process that handles user authentication, enforces security policies, and manages sensitive credentials (like passwords, NTLM hashes) by generating access tokens for users.
A use-after-free flaw in the Windows Local Security Authority Subsystem Service allows an authorized attacker to execute code over a network.
CVE-2026-20957: Microsoft Excel Remote Code Execution Vulnerability
An integer underflow flaw in Microsoft Office Excel allows an unauthenticated attacker to achieve remote code execution.
Other Microsoft Vulnerability Highlights
- CVE-2026-20816 is an elevation of privilege vulnerability in the Windows Installer. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2026-20817 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges.
- CVE-2026-20820 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. A heap-based buffer overflow flaw could allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-20840 & CVE-2026-20922 are remote code execution vulnerabilities in Windows NTFS. A heap-based buffer overflow flaw could allow an authenticated attacker to achieve remote code execution.
- CVE-2026-20860 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A type confusion flaw may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-20843 is an elevation of privilege vulnerability in the Windows Routing and Remote Access Service (RRAS). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2026-20871 is an elevation of privilege vulnerability in Desktop Windows Manager. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Deployment Services, SQL Server, Windows Hello, Desktop Window Manager, Printer Association Object, Windows Kernel Memory, Windows Win32K – ICOMP, Windows LDAP – Lightweight Directory Access Protocol, Graphics Kernel, Capability Access Management Service (camsvc), Windows Installer, Windows Error Reporting, Windows Kernel, Windows Virtualization-Based Security (VBS) Enclave, Windows Common Log File System Driver, Microsoft Graphics Component, Windows File Explorer, Windows Hyper-V, Tablet Windows User Interface (TWINUI) Subsystem, Windows Internet Connection Sharing (ICS), Windows TPM, Windows Remote Procedure Call Interface Definition Language (IDL), Windows Kerberos, Windows Shell, Windows Media, Windows DWM, Windows Routing and Remote Access Service (RRAS), Windows Clipboard Server, Windows SMB Server, Windows WalletService, Windows Local Security Authority Subsystem Service (LSASS), Windows Kernel-Mode Drivers, Connected Devices Platform Service (Cdpsvc), Windows Local Session Manager (LSM), Windows HTTP.sys, Windows Telephony Service, Windows NDIS, Host Process for Windows Tasks, Microsoft Office, Microsoft Office Word, Microsoft Office Excel, Microsoft Office SharePoint, Dynamic Root of Trust for Measurement (DRTM), Windows Admin Center, Inbox COM Objects, Azure Connected Machine Agent, Azure Core shared client library for Python, Windows Secure Boot, Agere Windows Modem Driver, Windows Motorola Soft Modem Driver, and Microsoft Edge (Chromium-based).
The next Patch Tuesday is scheduled for February 10, and we will provide details and patch analysis at that time. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches
