Microsoft Patch Tuesday fixes 3 zero-days, 114 flaws in January 2026 update

Microsoft’s January 2026 Patch Tuesday delivers a substantial set of security fixes, addressing a total of 114 vulnerabilities across its product ecosystem. This monthly security rollout includes patches for eight critical flaws and resolves three zero-day vulnerabilities, one of which is confirmed to be under active attack. System administrators and security teams should prioritize deploying these updates to mitigate significant risks, including remote code execution and privilege escalation.

The breakdown of vulnerabilities by category is as follows: 57 Elevation of Privilege, 22 Remote Code Execution, 22 Information Disclosure, 5 Spoofing, 3 Security Feature Bypass, 2 Denial of Service, and 3 publicly known zero-days. It is important to note that this count reflects only the updates released on this specific Patch Tuesday and does not include fixes for Microsoft Edge or Mariner vulnerabilities issued earlier in the month.

Three zero-day vulnerabilities are a key focus of this update cycle. Microsoft defines a zero-day as a flaw that is either publicly disclosed or actively exploited before a patch is available. This month’s batch includes one of each type.

The actively exploited zero-day is tracked as CVE-2026-20805, an information disclosure vulnerability in the Desktop Window Manager. According to Microsoft, this flaw could allow an authenticated attacker to locally disclose sensitive information. Successful exploitation enables reading memory addresses linked to a remote ALPC port, potentially exposing user-mode memory sections. The Microsoft Threat Intelligence Center and Microsoft Security Response Center discovered the issue, though specific details on the exploitation methods have not been shared.

Two other zero-days were publicly disclosed prior to this patch. The first, CVE-2026-21265, concerns a Secure Boot certificate expiration that could allow a security feature bypass. Certificates issued in 2011 for Secure Boot are nearing their expiration dates. Systems that are not updated face an increased risk where threat actors might bypass Secure Boot protections. The affected certificates include the Microsoft Corporation KEK CA 2011 (expiring June 24, 2026), the Microsoft Corporation UEFI CA 2011 (expiring June 27, 2026), and the Microsoft Windows Production PCA 2011 (expiring October 19, 2026). These security updates renew the certificates to maintain the Secure Boot trust chain.

The second publicly disclosed zero-day is CVE-2023-31096, an elevation of privilege vulnerability in the third-party Agere Soft Modem driver. Microsoft had previously warned about actively exploited flaws in this driver during an October update and indicated it would be removed. With this January 2026 cumulative update, the company has now removed the vulnerable `agrsm64.sys` and `agrsm.sys` drivers from Windows installations. This vulnerability was attributed to the researcher Zeze with TeamT5.

Among the eight critical-rated vulnerabilities patched, six are remote code execution flaws and two are elevation of privilege flaws. These severe issues affect components including Microsoft Office Excel, Windows Local Security Authority Subsystem Service (LSASS), and the Windows Virtualization-Based Security (VBS) Enclave.

A complete list of the resolved vulnerabilities is provided below. For detailed descriptions and affected systems, readers should consult the official security update guide.

Agere Windows Modem Driver

CVE-2023-31096: Organizations are advised to review their update deployment schedules immediately, giving highest priority to systems affected by the critical flaws and the actively exploited zero-day.

(Source: Bleeping Computer)