Microsoft Patch Tuesday January 2026
16 Jan 2026
The first edition of the 2026 Microsoft Patch Tuesday is here. The update addresses 114 security vulnerabilities, including three zero-day vulnerabilities.
The update is critical as it addresses the following types of vulnerabilities that can be exploited by attackers to orchestrate attacks.
|
Number |
Type of Vulnerabilities |
|
57 |
Privilege escalation |
|
22 |
Remote code execution |
|
22 |
Information disclosure |
|
5 |
Spoofing |
|
2 |
Denial of Service |
3 Zero day vulnerabilities addressed
CVE-2026-20805
Actively exploited information disclosure vulnerability – Desktop Window Manager
The cumulative update has patched one actively exploited zero-day vulnerability in the Desktop Window Manager. By exploiting the vulnerability, an unauthorized actor can disclose sensitive information locally by reading the memory addresses (specific locations in a computer memory) in the remote ALPC port (An Asynchronous Local Procedure Call port plays the role of enabling communication between processes on the same machine).
CVE-2026-21265
Security Feature Bypass vulnerability – Secure Boot Certificate
Windows Secure Boot certificates verify the boot components against a database of authorized keys/trusted certificates stored in firmware to ensure that only trusted software runs during the system startup. This is a security feature to prevent malicious software like malware and rootkits from loading during startup.
Through the update, Microsoft has replaced expiring Secure Boot certificates for all the applicable Windows 11 24H2 and 25H2 systems.
The following are the certificates that will expire soon:
|
Certificate Authority (CA) |
Location |
Purpose |
Expiration Date |
|
Microsoft Corporation KEK CA 2011 |
KEK |
Signs DB and DBX related updates |
24-06-2026 |
|
Microsoft Corporation UEFI CA 2011 |
DB |
Signs Optional ROMs, 3rd party boot loaders, etc. |
27-06-2026 |
|
Microsoft Windows Production PCA 2011 |
DB |
Signs Windows Boot Manager |
19-10-2026 |
CVE-2023-31096
Privilege escalation vulnerability – Windows Agere Soft Modem Driver
Windows has been shipping several legacy third-party drivers for ease of compatibility with analog modem and fax hardware. However, an escalation of privilege vulnerability was discovered in some of the drivers, specifically the Agere soft modem drivers agrsm64.sys and agrsm.sys. Microsoft has removed the drivers through its most recent update. Therefore, any device (modems, fax, soft modem, adaptors) dependent on the drivers will stop working on systems that have applied the recent cumulative update. Microsoft has recommended that customers remove dependency on the hardware due to the security concerns that haven’t been resolved.
All the vulnerabilities addressed
The following is a complete list of vulnerabilities addressed in the January 2026 Patch Tuesday update:
|
Component |
CVE ID |
CVE Title |
Severity |
|
Microsoft Graphics Component |
CVE-2026-20822 |
Windows Graphics Component Elevation of Privilege Vulnerability |
Critical |
|
Microsoft Office |
CVE-2026-20952 |
Microsoft Office Remote Code Execution Vulnerability |
Critical |
|
Microsoft Office |
CVE-2026-20953 |
Microsoft Office Remote Code Execution Vulnerability |
Critical |
|
Microsoft Office Excel |
CVE-2026-20957 |
Microsoft Excel Remote Code Execution Vulnerability |
Critical |
|
Microsoft Office Excel |
CVE-2026-20955 |
Microsoft Excel Remote Code Execution Vulnerability |
Critical |
|
Microsoft Office Word |
CVE-2026-20944 |
Microsoft Word Remote Code Execution Vulnerability |
Critical |
|
Windows Local Security Authority Subsystem Service (LSASS) |
CVE-2026-20854 |
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
Critical |
|
Windows Virtualization-Based Security (VBS) Enclave |
CVE-2026-20876 |
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
Critical |
|
Agere Windows Modem Driver |
CVE-2023-31096 |
MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability |
Important |
|
Azure Connected Machine Agent |
CVE-2026-21224 |
Azure Connected Machine Agent Elevation of Privilege Vulnerability |
Important |
|
Azure Core shared client library for Python |
CVE-2026-21226 |
Azure Core shared client library for Python Remote Code Execution Vulnerability |
Important |
|
Capability Access Management Service (camsvc) |
CVE-2026-20835 |
Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
Important |
|
Capability Access Management Service (camsvc) |
CVE-2026-20851 |
Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
Important |
|
Capability Access Management Service (camsvc) |
CVE-2026-20830 |
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
Important |
|
Capability Access Management Service (camsvc) |
CVE-2026-21221 |
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
Important |
|
Capability Access Management Service (camsvc) |
CVE-2026-20815 |
Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
Important |
|
Connected Devices Platform Service (Cdpsvc) |
CVE-2026-20864 |
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
Important |
|
Desktop Window Manager |
CVE-2026-20805 |
Desktop Window Manager Information Disclosure Vulnerability |
Important |
|
Desktop Window Manager |
CVE-2026-20871 |
Desktop Windows Manager Elevation of Privilege Vulnerability |
Important |
|
Dynamic Root of Trust for Measurement (DRTM) |
CVE-2026-20962 |
Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
Important |
|
Graphics Kernel |
CVE-2026-20836 |
DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Important |
|
Graphics Kernel |
CVE-2026-20814 |
DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Important |
|
Host Process for Windows Tasks |
CVE-2026-20941 |
Host Process for Windows Tasks Elevation of Privilege Vulnerability |
Important |
|
Inbox COM Objects |
CVE-2026-21219 |
Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
Important |
|
Mariner |
CVE-2025-68756 |
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock |
Important |
|
Mariner |
CVE-2025-68759 |
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() |
Important |
|
Mariner |
CVE-2025-68766 |
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() |
Important |
|
Mariner |
CVE-2025-68753 |
ALSA: firewire-motu: add bounds check in put_user loop for DSP events |
Important |
|
Microsoft Office |
CVE-2026-20943 |
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
Important |
|
Microsoft Office Excel |
CVE-2026-20949 |
Microsoft Excel Security Feature Bypass Vulnerability |
Important |
|
Microsoft Office Excel |
CVE-2026-20950 |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
Microsoft Office Excel |
CVE-2026-20956 |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
Microsoft Office Excel |
CVE-2026-20946 |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
Microsoft Office SharePoint |
CVE-2026-20958 |
Microsoft SharePoint Information Disclosure Vulnerability |
Important |
|
Microsoft Office SharePoint |
CVE-2026-20959 |
Microsoft SharePoint Server Spoofing Vulnerability |
Important |
|
Microsoft Office SharePoint |
CVE-2026-20947 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
|
Microsoft Office SharePoint |
CVE-2026-20951 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
|
Microsoft Office SharePoint |
CVE-2026-20963 |
Microsoft SharePoint Remote Code Execution Vulnerability |
Important |
|
Microsoft Office Word |
CVE-2026-20948 |
Microsoft Word Remote Code Execution Vulnerability |
Important |
|
Printer Association Object |
CVE-2026-20808 |
Windows File Explorer Elevation of Privilege Vulnerability |
Important |
|
SQL Server |
CVE-2026-20803 |
Microsoft SQL Server Elevation of Privilege Vulnerability |
Important |
|
Tablet Windows User Interface (TWINUI) Subsystem |
CVE-2026-20827 |
Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
Important |
|
Tablet Windows User Interface (TWINUI) Subsystem |
CVE-2026-20826 |
Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
Important |
|
Windows Admin Center |
CVE-2026-20965 |
Windows Admin Center Elevation of Privilege Vulnerability |
Important |
|
Windows Ancillary Function Driver for WinSock |
CVE-2026-20831 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
Windows Ancillary Function Driver for WinSock |
CVE-2026-20860 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
Windows Ancillary Function Driver for WinSock |
CVE-2026-20810 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
Windows Client-Side Caching (CSC) Service |
CVE-2026-20839 |
Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
Important |
|
Windows Clipboard Server |
CVE-2026-20844 |
Windows Clipboard Server Elevation of Privilege Vulnerability |
Important |
|
Windows Cloud Files Mini Filter Driver |
CVE-2026-20940 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Important |
|
Windows Cloud Files Mini Filter Driver |
CVE-2026-20857 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Important |
|
Windows Common Log File System Driver |
CVE-2026-20820 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Important |
|
Windows Deployment Services |
CVE-2026-0386 |
Windows Deployment Services Remote Code Execution Vulnerability |
Important |
|
Windows DWM |
CVE-2026-20842 |
Microsoft DWM Core Library Elevation of Privilege Vulnerability |
Important |
|
Windows Error Reporting |
CVE-2026-20817 |
Windows Error Reporting Service Elevation of Privilege Vulnerability |
Important |
|
Windows File Explorer |
CVE-2026-20939 |
Windows File Explorer Information Disclosure Vulnerability |
Important |
|
Windows File Explorer |
CVE-2026-20932 |
Windows File Explorer Information Disclosure Vulnerability |
Important |
|
Windows File Explorer |
CVE-2026-20937 |
Windows File Explorer Information Disclosure Vulnerability |
Important |
|
Windows File Explorer |
CVE-2026-20823 |
Windows File Explorer Information Disclosure Vulnerability |
Important |
|
Windows Hello |
CVE-2026-20852 |
Windows Hello Tampering Vulnerability |
Important |
|
Windows Hello |
CVE-2026-20804 |
Windows Hello Tampering Vulnerability |
Important |
|
Windows HTTP.sys |
CVE-2026-20929 |
Windows HTTP.sys Elevation of Privilege Vulnerability |
Important |
|
Windows Hyper-V |
CVE-2026-20825 |
Windows Hyper-V Information Disclosure Vulnerability |
Important |
|
Windows Installer |
CVE-2026-20816 |
Windows Installer Elevation of Privilege Vulnerability |
Important |
|
Windows Internet Connection Sharing (ICS) |
CVE-2026-20828 |
Windows rndismp6.sys Information Disclosure Vulnerability |
Important |
|
Windows Kerberos |
CVE-2026-20849 |
Windows Kerberos Elevation of Privilege Vulnerability |
Important |
|
Windows Kerberos |
CVE-2026-20833 |
Windows Kerberos Information Disclosure Vulnerability |
Important |
|
Windows Kernel |
CVE-2026-20838 |
Windows Kernel Information Disclosure Vulnerability |
Important |
|
Windows Kernel |
CVE-2026-20818 |
Windows Kernel Information Disclosure Vulnerability |
Important |
|
Windows Kernel Memory |
CVE-2026-20809 |
Windows Kernel Memory Elevation of Privilege Vulnerability |
Important |
|
Windows Kernel-Mode Drivers |
CVE-2026-20859 |
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
Important |
|
Windows LDAP – Lightweight Directory Access Protocol |
CVE-2026-20812 |
LDAP Tampering Vulnerability |
Important |
|
Windows Local Security Authority Subsystem Service (LSASS) |
CVE-2026-20875 |
Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
Important |
|
Windows Local Session Manager (LSM) |
CVE-2026-20869 |
Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20924 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20874 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20862 |
Windows Management Services Information Disclosure Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20866 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20867 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20861 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20865 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20858 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20918 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20877 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20923 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Management Services |
CVE-2026-20873 |
Windows Management Services Elevation of Privilege Vulnerability |
Important |
|
Windows Media |
CVE-2026-20837 |
Windows Media Remote Code Execution Vulnerability |
Important |
|
Windows Motorola Soft Modem Driver |
CVE-2024-55414 |
Windows Motorola Soft Modem Driver Elevation of Privilege Vulnerability |
Important |
|
Windows NDIS |
CVE-2026-20936 |
Windows NDIS Information Disclosure Vulnerability |
Important |
|
Windows NTFS |
CVE-2026-20922 |
Windows NTFS Remote Code Execution Vulnerability |
Important |
|
Windows NTFS |
CVE-2026-20840 |
Windows NTFS Remote Code Execution Vulnerability |
Important |
|
Windows NTLM |
CVE-2026-20925 |
NTLM Hash Disclosure Spoofing Vulnerability |
Important |
|
Windows NTLM |
CVE-2026-20872 |
NTLM Hash Disclosure Spoofing Vulnerability |
Important |
|
Windows Remote Assistance |
CVE-2026-20824 |
Windows Remote Assistance Security Feature Bypass Vulnerability |
Important |
|
Windows Remote Procedure Call |
CVE-2026-20821 |
Remote Procedure Call Information Disclosure Vulnerability |
Important |
|
Windows Remote Procedure Call Interface Definition Language (IDL) |
CVE-2026-20832 |
Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
Important |
|
Windows Routing and Remote Access Service (RRAS) |
CVE-2026-20868 |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
Important |
|
Windows Routing and Remote Access Service (RRAS) |
CVE-2026-20843 |
Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
Important |
|
Windows Secure Boot |
CVE-2026-21265 |
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
Important |
|
Windows Server Update Service |
CVE-2026-20856 |
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
Important |
|
Windows Shell |
CVE-2026-20834 |
Windows Spoofing Vulnerability |
Important |
|
Windows Shell |
CVE-2026-20847 |
Microsoft Windows File Explorer Spoofing Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20926 |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20921 |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20919 |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20927 |
Windows SMB Server Denial of Service Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20848 |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
Windows SMB Server |
CVE-2026-20934 |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
Windows Telephony Service |
CVE-2026-20931 |
Windows Telephony Service Elevation of Privilege Vulnerability |
Important |
|
Windows TPM |
CVE-2026-20829 |
TPM Trustlet Information Disclosure Vulnerability |
Important |
|
Windows Virtualization-Based Security (VBS) Enclave |
CVE-2026-20938 |
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
Important |
|
Windows Virtualization-Based Security (VBS) Enclave |
CVE-2026-20935 |
Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
Important |
|
Windows Virtualization-Based Security (VBS) Enclave |
CVE-2026-20819 |
Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
Important |
|
Windows WalletService |
CVE-2026-20853 |
Windows WalletService Elevation of Privilege Vulnerability |
Important |
|
Windows Win32K – ICOMP |
CVE-2026-20811 |
Win32k Elevation of Privilege Vulnerability |
Important |
|
Windows Win32K – ICOMP |
CVE-2026-20870 |
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
Important |
|
Windows Win32K – ICOMP |
CVE-2026-20920 |
Win32k Elevation of Privilege Vulnerability |
Important |
|
Windows Win32K – ICOMP |
CVE-2026-20863 |
Win32k Elevation of Privilege Vulnerability |
Important |
|
Mariner |
CVE-2026-21444 |
libtpms returns wrong initialization vector when certain symmetric ciphers are used |
Moderate |
|
Mariner |
CVE-2025-68758 |
backlight: led-bl: Add devlink to supplier LEDs |
Moderate |
|
Mariner |
CVE-2025-68757 |
drm/vgem-fence: Fix potential deadlock on release |
Moderate |
|
Mariner |
CVE-2025-68764 |
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags |
Moderate |
|
Mariner |
CVE-2025-68763 |
crypto: starfive – Correctly handle return of sg_nents_for_len |
Moderate |
|
Mariner |
CVE-2025-68755 |
staging: most: remove broken i2c driver |
Moderate |
|
Mariner |
CVE-2025-68765 |
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() |
Moderate |
|
Microsoft Edge (Chromium-based) |
CVE-2026-0628 |
Chromium: CVE-2026-0628 Insufficient policy enforcement in WebView tag |
Unknown |
SharkStriker’s recommendations
Since the cumulative update addresses several critical and zero-day vulnerabilities, it is highly recommended to immediately apply the patches.
The following are some of the general actions we have performed:
- Round-the-clock security monitoring of the Microsoft environment and the rest of the infrastructure for pre-emptive threat detection and response.
- Continuous threat hunting based on Microsoft’s Threat Analytics report, and Indicators of Compromise and Indicators of Attack by CISA and other reputable sources.
- Configuration of detection mechanisms with industry best practices for early discovery of risks and quick, precise, and timely action on threats.
- Continuous assessment-based improvement of security posture with recommendations.