Of the vulnerabilities addressed, eight have been labeled as Critical, while the remaining 106 are categorized as Important. Privilege escalation issues dominate this release, accounting for 58 flaws. Other categories include 22 information disclosure bugs, 21 remote code execution vulnerabilities, and five spoofing-related weaknesses. Based on Fortra’s tracking, this update ranks as the third-largest January Patch Tuesday, following those issued in January 2025 and January 2022.
In addition to these fixes, Microsoft has also patched two Edge browser vulnerabilities since the December 2025 update. These include a low-severity spoofing issue affecting Edge on Android (CVE-2025-65046) and a more serious flaw related to inadequate policy enforcement in Chromium’s WebView component (CVE-2026-0628), which carries a high CVSS score of 8.8.
Actively Exploited Vulnerability
The flaw confirmed to be under active exploitation is CVE-2026-20805, an information disclosure vulnerability in the Windows Desktop Window Manager (DWM), rated 5.5 on the CVSS scale. The issue was discovered by the Microsoft Threat Intelligence Center (MTIC) and the Microsoft Security Response Center (MSRC).
According to Microsoft, the vulnerability allows a locally authenticated attacker to access sensitive information by exposing a section address tied to a remote ALPC port in user-mode memory. While Microsoft has acknowledged active exploitation, details regarding the attack methods, scale, or threat actors involved have not been disclosed.
Security experts note that DWM presents an attractive attack surface due to its elevated privileges and near-universal use across Windows processes. Improper exposure of ALPC port memory can aid attackers in understanding how Windows components communicate internally, potentially paving the way for more advanced attacks.
DWM has a history of security issues. In May 2024, Microsoft patched another actively exploited zero-day in the same component (CVE-2024-30051), which was used by multiple threat actors alongside malware such as QakBot. Since 2022, roughly 20 DWM-related vulnerabilities have been fixed, earning it a reputation as a frequent Patch Tuesday target.
Researchers warn that vulnerabilities like CVE-2026-20805 can be leveraged to weaken protections such as Address Space Layout Randomization (ASLR). By revealing memory locations, attackers can combine information disclosure bugs with separate code execution flaws to create more reliable and repeatable exploits.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies are required to apply the patch by February 3, 2026.
Secure Boot and Driver-Related Issues
Another significant issue addressed this month is CVE-2026-21265, a Secure Boot certificate expiration bypass flaw. Exploitation could weaken the trust model that ensures only verified firmware and boot components are executed during system startup.
Microsoft previously announced that several Secure Boot certificates issued in 2011 will expire beginning in June 2026. Customers are being urged to migrate to updated 2023 certificates to avoid boot failures or security degradation. The affected certificates include those used for Windows boot loaders, firmware databases, third-party boot loaders, and option ROMs.
Microsoft has also removed legacy Agere Soft Modem drivers (agrsm64.sys and agrsm.sys) from Windows. These drivers were found to be vulnerable to a long-standing local privilege escalation flaw (CVE-2023-31096) that could allow attackers to gain SYSTEM-level access.
This follows similar action taken in October 2025, when Microsoft removed another Agere modem driver (ltmdm64.sys) after attackers exploited CVE-2025-24990 to obtain administrative privileges.
High-Risk Privilege Escalation in VBS
Among the most serious issues in this release is CVE-2026-20876, a privilege escalation vulnerability affecting Windows Virtualization-Based Security (VBS) Enclaves. The flaw allows attackers with existing access to elevate privileges to Virtual Trust Level 2 (VTL2) - one of the most trusted execution layers in Windows.
Although exploitation requires prior elevated access, the consequences are severe. Successful attackers could bypass core security protections, maintain persistent access, and evade detection by undermining virtualization-based defenses themselves. Experts emphasize that timely patching is critical to preserving the integrity of Windows security boundaries.
Updates from Other Vendors
Alongside Microsoft, numerous other vendors have issued security updates this month to address vulnerabilities in their products. These include, but are not limited to, updates from ABB, Adobe, Amazon Web Services, AMD, Arm, ASUS, Broadcom (including VMware), Cisco, Dell, Fortinet, Google (Android, Chrome, Cloud), HP, IBM, Lenovo, Linux distributions, NVIDIA, Mozilla, Samsung, SAP, Siemens, SonicWall, Sophos, Trend Micro, Veeam, and many others.
Newer Articles
- CES Is Never Subtle, and 2026 Was No Exception
- Samsung Galaxy Trifold First Look: A Futuristic Phone
- Next-Gen Neurotech: LUMIMIND’s LumiSleep Recognized at CES 2026