January 2026 Patch Tuesday: Active Zero-Day & 111 Other Flaws Addressed

Microsoft released its January 2026 Patch Tuesday security updates, resolving a total of 112 vulnerabilities across Windows and multiple Microsoft products and components.

The release includes three zero-day vulnerabilities, one of which was confirmed as actively exploited in the wild, while the remaining two had been publicly disclosed prior to the patch. In addition, eight vulnerabilities received a Critical severity rating, signaling a higher risk of impact if left unaddressed.

Vulnerability Breakdown by Category:

55 Elevation of Privilege (EoP)
21 Remote Code Execution (RCE)
23 Information Disclosure
5 Spoofing
3 Security Feature Bypass
3 Tampering
2 Denial of Service (DoS)

January 2026 Patch Tuesday vulnerability types

Elevation of Privilege vulnerabilities dominated this month’s fixes, continuing a consistent trend. Remote Code Execution and Information Disclosure issues also made up a significant portion of the addressed flaws.

Zero-Day Vulnerabilities Addressed in January 2026

The January 2026 Patch Tuesday release addressed three zero-day vulnerabilities, including one actively exploited flaw and two issues that were publicly disclosed prior to patch availability.

CVE-2026-20805 (CVSS 5.5) – Desktop Window Manager Information Disclosure
CVE-2023-31096 (CVSS 7.8) – Windows Agere Soft Modem Driver Elevation of Privilege
CVE-2026-21265 (CVSS 6.4) – Secure Boot Certificate Expiration Security Feature Bypass

Actively Exploited Zero-Day: CVE-2026-20805

The actively exploited vulnerability, CVE-2026-20805 (CVSS 5.5), affects the Desktop Window Manager (DWM) component in Windows. Microsoft rated the issue as Important and classified it as an information disclosure flaw that could allow a local, authorized attacker to leak sensitive memory-related data.

Details of CVE-2026-20805 (SOCRadar Vulnerability Intelligence)

According to Microsoft’s advisory, successful exploitation could expose a section address associated with a remote ALPC port in user-mode memory. While the vulnerability alone does not enable code execution, such information leaks are often leveraged to weaken exploit mitigations and support follow-on attacks.

Researchers from Trend Micro Zero Day Initiative assessed that the vulnerability was likely used in targeted attack chains, where the leaked address information could assist attackers in achieving arbitrary code execution.

CISA KEV listing for the CVE-2026-20805 vulnerability

Due to confirmed exploitation, CISA added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) Catalog, setting a remediation due date of February 3, 2026 for affected organizations.

Publicly Disclosed Zero-Days: Secure Boot and Driver-Level EoP

Two additional zero-day vulnerabilities patched in January were publicly disclosed before fixes became available:

CVE-2026-21265 (CVSS 6.4): a Secure Boot certificate expiration issue that could allow a security feature bypass
CVE-2023-31096 (CVSS 7.8): an elevation of privilege flaw involving legacy Agere Soft Modem drivers

Details of CVE-2023-31096 (SOCRadar Vulnerability Intelligence)

Importantly, CVE-2023-31096 is not a Microsoft vulnerability. The issue originates from third-party Agere Soft Modem drivers that ship by default with supported Windows operating systems. These drivers, agrsm64.sys and agrsm.sys, were assigned a CVE by MITRE in 2023. To solve the issue, Microsoft removed the affected drivers entirely in the January 2026 cumulative update. Therefore, hardware that depends on these specific modem drivers will no longer function on patched systems. Microsoft advised organizations to identify and eliminate any remaining reliance on this legacy hardware to reduce exposure.

Improve Vulnerability Prioritization with SOCRadar

Hundreds of new vulnerabilities surface over days, making it difficult to determine which ones pose an immediate risk. SOCRadar’s Vulnerability Intelligence, delivered through its Cyber Threat Intelligence module, helps security teams focus on what matters by adding real-world context such as exploitation status, threat actor interest, and observed attack patterns.

SOCRadar Vulnerability Intelligence – CVEs and Exploitation Insights

With SOCRadar, your security team can:

Rank vulnerabilities more effectively by correlating severity, affected vendors and products, and live exploit indicators.
Track exploit activity and associate CVEs with ongoing or emerging threat campaigns to support risk-based decisions.
Observe how vulnerabilities progress after disclosure, from early proof-of-concept code to active abuse, enabling more confident remediation planning.

Critical Vulnerabilities in January 2026 Patch Tuesday

Microsoft addressed eight critical-severity vulnerabilities as part of its January 2026 Patch Tuesday updates, impacting core Windows services and widely used Office applications. The majority of these issues allow RCE, making them particularly relevant for environments where user interaction or exposed services are present.

Six critical RCE vulnerabilities affected Windows services and Microsoft Office applications, including components commonly targeted through document-based attack vectors and system-level services:

CVE-2026-20944 (CVSS 8.4) – Microsoft Word Remote Code Execution
CVE-2026-20952 (CVSS 8.4) – Microsoft Office Remote Code Execution
CVE-2026-20953 (CVSS 8.4) – Microsoft Office Remote Code Execution
CVE-2026-20955 (CVSS 7.8) – Microsoft Excel Remote Code Execution
CVE-2026-20957 (CVSS 7.8) – Microsoft Excel Remote Code Execution
CVE-2026-20854 (CVSS 7.5) – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution

These flaws could allow attackers to execute arbitrary code if successfully exploited, typically through specially crafted documents or interactions with vulnerable services. Given the prevalence of Office applications across enterprise environments, these vulnerabilities present a realistic risk when combined with phishing or social engineering campaigns.

Two additional critical vulnerabilities enabled elevation of privilege on affected systems:

CVE-2026-20822 (CVSS 7.8) – Windows Graphics Component Elevation of Privilege
CVE-2026-20876 (CVSS 6.7) – Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege

Successful exploitation of these flaws could allow attackers to gain higher-level permissions, potentially enabling further compromise after initial access.

High-Risk Vulnerabilities to Watch in January Patch Tuesday

Beyond the critical fixes, Microsoft identified a set of vulnerabilities assessed as more likely to be exploited.

CVE-2026-20816 (CVSS 7.8) – Windows Installer Elevation of Privilege
CVE-2026-20817 (CVSS 7.8) – Windows Error Reporting Service Elevation of Privilege
CVE-2026-20820 (CVSS 7.8) – Windows Common Log File System Driver Elevation of Privilege
CVE-2026-20840 (CVSS 7.8) – Windows NTFS Remote Code Execution
CVE-2026-20843 (CVSS 7.8) – Windows Routing and Remote Access Service (RRAS) Elevation of Privilege
CVE-2026-20860 (CVSS 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege
CVE-2026-20871 (CVSS 7.8) – Desktop Window Manager Elevation of Privilege
CVE-2026-20922 (CVSS 7.8) – Windows NTFS Remote Code Execution

While none of these vulnerabilities were confirmed as actively exploited at the time of release, their “more likely” designation signals a higher risk of weaponization. Organizations should prioritize patching affected systems, particularly those exposed to user interaction or elevated privilege workflows.

Apply Microsoft’s Security Updates & Achieve Post-Patch Exposure Visibility

Microsoft’s security updates address vulnerabilities across widely used products, many of which are directly exposed to user interaction. Systems affected by these flaws should be patched without delay, with priority given to externally reachable or business-critical assets.

See Microsoft’s January 2026 release note for the full details of patched CVEs.

Applying updates, however, does not always eliminate risk. Some assets may remain exposed, partially patched, or newly reachable after changes in infrastructure or configuration. SOCRadar Attack Surface Management (ASM) continuously identifies internet-facing assets, detects unpatched systems, and surfaces configuration weaknesses that attackers commonly exploit.