Microsoft January 2026 Patch Tuesday: 114 Flaws Fixed, Including 3 Zero-Days

Microsoft’s January 2026 Patch Tuesday has delivered a major security update to address 114 vulnerabilities across Windows, Office, and other core Microsoft products. Among the most critical are three zero-day flaws: CVE-2026-20805 (Desktop Window Manager information disclosure), CVE-2026-21265 (Secure Boot certificate expiration bypass), and CVE-2023-31096 (Agere Soft Modem driver elevation of privilege). Eight vulnerabilities are rated as Critical, six of which are remote code execution (RCE) flaws, and two are privilege escalation (elevation-of-privilege) issues. Let’s take a look at what’s new on Microsoft’s January 2026 Patch Tuesday.

Overview of the January 2026 Patch Tuesday

• Total vulnerabilities fixed: 114 across Windows, Office, and other core Microsoft products
• Zero-day vulnerabilities: 3 (1 actively exploited, 2 publicly disclosed)
• Critical vulnerabilities: 8 (6 remote code execution(RCE), 2 elevation-of-privilege (EoP) flaws)
• Affected products: Windows 10, Windows 11, Office, Microsoft Edge (separate update), and more
• Cumulative updates released:
  • Windows 11: KB5074109, KB5073455
  • Windows 10: KB5073724 (Extended Security Update)

Microsoft has confirmed that no patches were released for Microsoft Edge or Mariner in this cycle — those were addressed separately.

Critical Vulnerabilities: 8 Critical Flaws, 6 RCEs, 2 EoP

The eight Critical vulnerabilities in the January 2026 update pose the highest risk. These flaws can be exploited remotely, often without user interaction, and allow attackers to execute arbitrary code or escalate privileges on compromised systems.

While Microsoft has not released a full public list of all 114 flaws, the eight Critical issues are particularly dangerous due to their remote exploitability and potential for widespread impact.

• Remote Code Execution (RCE): Attackers can execute malicious code on a target system from a remote location—often via network traffic or a malicious file.
• Elevation of Privilege (EoP): Exploits allow attackers to gain administrator-level access after initial compromise — a common step in ransomware and data theft campaigns.

These vulnerabilities are especially concerning in enterprise environments, where unpatched systems may serve as entry points for broader network breaches.

Recommendation: Apply the January 2026 updates immediately, especially on systems exposed to the internet or untrusted networks.

Zero-Day Vulnerabilities: 3 Critical Flaws Patched

A zero-day vulnerability is a security flaw in software that is unknown to the vendor (like Microsoft) at the time it is exploited by attackers. Because there’s no patch available when the flaw is discovered, it’s called a “zero-day” — meaning the vendor has zero days to fix it before it’s used in attacks.

When a zero-day is actively exploited, it means hackers are already using it to compromise systems making it one of the most dangerous threats in cybersecurity.

In this update:

• One zero-day (CVE-2026-20805) was actively exploited — meaning attackers were already using it.
• Two others were publicly disclosed—meaning the flaw was known to researchers and the public, yet remained unpatched until now.

That’s why patching immediately is critical once a zero-day is patched, the risk drops dramatically.

1. CVE-2026-20805 – Desktop Window Manager Information Disclosure (Actively Exploited)

• Type: Information Disclosure (Critical)
• Component: Desktop Window Manager (DWM)
• Impact: Attackers can read sensitive memory addresses from remote ALPC ports, potentially exposing encryption keys, credentials, or process data.
• Exploitation Status: Actively exploited in the wild.
• Patch: Included in KB5074109 (Windows 11) and KB5073724 (Windows 10).

Microsoft attributes the discovery to its Microsoft Threat Intelligence Center (MSTIC) and Security Response Center (MSRC), but has not disclosed the exact attack vector.

2. CVE-2026-21265 – Secure Boot Certificate Expiration Bypass

• Type: Security Feature Bypass (Critical)
• Component: Secure Boot
• Impact: Expired certificates (issued in 2011) could allow attackers to bypass Secure Boot and load malicious firmware during boot.
• Fix: The update renews the affected certificates, preserving the boot chain trust.
• Context: Microsoft previously warned about this in a June 2025 advisory, highlighting long-term certificate lifecycle risks.

3. CVE-2023-31096 – Agere Soft Modem Driver Elevation of Privilege

• Type: Elevation of Privilege (Critical)
• Component: Third-party Agere Modem Driver
• Impact: Attackers could gain administrative control on compromised systems.
• Fix: Microsoft has removed the vulnerable drivers (agrsm64.sys and agrsm.sys) from Windows entirely.
• Attribution: Discovered by Zeze and TeamT5.

This move marks a shift in Microsoft’s security strategy — instead of patching, they are removing risky components to eliminate long-term exposure.

Windows 10 and Windows 11 Cumulative Updates

Microsoft has released the following cumulative security updates for Windows 10 and Windows 11 as part of the January 2026 Patch Tuesday:

What’s in These Updates?

The January 2026 cumulative updates include:

• All 114 vulnerabilities were fixed in the security bulletin.
• Eight Critical vulnerabilities, including six remote code execution (RCE) flaws and two elevation-of-privilege (EoP) issues.
• Three zero-day vulnerabilities, including the actively exploited Desktop Window Manager flaw (CVE-2026-20805).
• Security improvements for Windows Defender, memory protection, and kernel-level hardening.

For Windows 10 users, the KB5073724 update is especially important — it’s part of the Extended Security Update (ESU) program, which allows organizations to continue receiving security patches beyond the standard end-of-life date.

Why This Update Matters

The January 2026 Patch Tuesday is one of the most security-critical of the year due to:

1. Active exploitation of a zero-day (CVE-2026-20805) — a rare and high-risk event.
2. Removal of a third-party driver — a proactive step to eliminate risk.
3. Eight Critical vulnerabilities, including six RCE flaws, which could allow unauthorized remote access.
4. Long-term security risks — such as expired Secure Boot certificates are being addressed.

Security experts, including BleepingComputer, Krebs on Security, and The Hacker News, have emphasized that delaying this update could lead to serious breaches.

How to Download and Install the Updates

The primary method for obtaining and installing these updates is through Windows Update:

1. Windows Update: Go to Settings > Update & Security > Windows Update (or equivalent in older Windows versions) and check for updates.
2. WSUS/SCCM: Organizations using Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) can deploy updates through their centralized management systems.
3. Microsoft Update Catalog: For specific updates or offline installations, you can download them directly from the Microsoft Update Catalog website.

Windows update offline installers:

• Windows 11 KB5072033 (Version 25H2/24H2) offline installer Direct Download Link 64-bit.
• Windows 11 KB5071417 (Version 23H2) offline installer Direct Download Link 64-bit.
• Windows 10 KB5071546 (For versions 22H2 and 21H1) Direct Download Links: 64-bit and 32-bit (x86).

Important note:

• Focus on installing critical updates first, as they address the most severe vulnerabilities.
• Enable automatic updates to ensure that security patches are installed promptly.
• Before deploying updates to production systems, it’s recommended to test them in a non-production environment to identify any potential compatibility issues.
• Regularly check the Microsoft Security Update Guide for detailed information about released updates.