Microsoft patches 112 CVEs on first Patch Tuesday of 2026
Microsoft has pushed fixes for 112 widespread vulnerabilities and exposures (CVEs) on the primary Patch Tuesday of 2026, amongst them a lot of zero-day flaws that had been both publicly disclosed or actively exploited previous to patching, and no fewer than eight crucial bugs.
Though it is a sharp enhance compared to current Patch Tuesdays – December 2025 noticed Microsoft patch simply 56 flaws – it is very important be aware that the festive season is continuously a quieter time for patches, generally by design, and January usually brings an uptick in disclosures. Nonetheless, noticed Jack Bicer, director of vulnerability analysis at patch administration agency Action1, the amount of fixes within the newest replace underscores “rising strain” on safety groups.
“This comes in opposition to a broader pattern: in 2025, reported vulnerabilities elevated by 12% over 2024, persevering with the upward trajectory of disclosed safety flaws,” stated Bicer.
Paramount amongst these flaws is CVE-2026-20805, an info disclosure vulnerability in Desktop Window Supervisor, found by Microsoft’s personal Menace Intelligence and Safety Response Facilities.
Though it bears a comparatively low Frequent Vulnerability Scoring System (CVSS) rating of simply 5.5, energetic exploitation of CVE-2026-20805 has been noticed within the wild, Microsoft stated
“The flaw leaks a reminiscence tackle from a distant ALPC [Asynchronous Local Procedure Call] port. The sort of info disclosure vulnerability is usually used to defeat Tackle House Structure Randomisation (ASLR) – a safety function in trendy working programs designed to guard in opposition to buffer overflows and different exploits that depend on manipulating the reminiscence of a working software,” defined Immersive senior director of cyber menace analysis, Kev Breen.
“As soon as they know the place code resides in reminiscence, they’ll chain this with a separate code execution bug to show a tough exploit right into a dependable one,” he stated. “Microsoft does not present any info on what different parts that chain might contain – making it tougher for defenders to menace hunt for potential exploitation makes an attempt, that means patching rapidly is the one mitigation for now.”
Ivanti vice chairman of safety product administration, Chris Goettl, agreed with this evaluation. “The vulnerability impacts all at present supported and prolonged safety replace supported variations of the Home windows OS,” he stated, “[so] a risk-based prioritisation methodology warrants treating this vulnerability as the next severity than the seller ranking or CVSS rating assigned.”
Subsequent up is a safety function bypass (SFB) flaw in Safe Boot Certificates Expiration, tracked as CVE-2026-21265. It, too, carries a relatively low CVSS rating and Microsoft solely charges it as Necessary. Nevertheless, stated Goettl, it has been publicly disclosed and safety groups can be clever to look into it.
“The repair gives a warning concerning certificates that might be expiring in 2026 and particulars on actions which are required to up renew certificates previous to their expiration along with the replace,” he stated.
“It’s endorsed to begin investigating what actions your organisation could must take to stop potential serviceability and safety as certificates expire.”
The remaining gadgets on the zero-day listing – once more each publicly disclosed however not identified to be exploited, date again three and 4 years respectively. Each are elevation of privilege (EoP) flaws affecting delicate modem drivers that ship natively with supported Home windows working programs.
The older of the 2, CVE-2023-31096, is to be present in Agere Gentle Modem Driver, and the newer one, CVE-2024-55414 in Home windows Motorola Gentle Modem Driver. Microsoft’s answer is to take away the affected drivers, agrsm64.sys and arsm.sys within the first situations and smserl64.sys and smserial.sys within the second, as a part of the January cumulative replace.
This implies delicate modem {hardware} that is dependent upon them will now stop to work on Home windows. Microsoft stated admins ought to act rapidly to take away any current dependencies on the affected {hardware}.
Important flaws
The critically-rated flaws within the January 2026 Patch Tuesday drop comprise six distant code execution (RCE) points and two EoP points.
The RCE flaws have an effect on Microsoft Excel, Microsoft Workplace and Home windows Native Safety Authority Subsystem Service (LSASS). They’ve been assigned designations CVE-2026-20854, CVE-2026-20944, CVE-2026-20952, CVE-2026-20953, CVE-2026-20955 and CVE-2026-20957.
The EoP flaws are CVE-2026-20822, which impacts the Home windows Graphics Element, and CVE-2026-20876, which impacts Home windows Virtualization-Primarily based Safety (VBS) Enclave.
Mike Walters, president and co-founder at Action1, stated the VBS flaw was value explicit consideration as a result of “it breaks the safety boundary designed to guard Home windows itself, permitting attackers to climb into the one of the vital trusted execution layers of the system”.
Walters warned of a critical threat to organisations that lean on VBS with the intention to defend credentials and different secrets and techniques, or delicate workloads, as a result of if exploited efficiently, an attacker may be capable to bypass safety controls, obtain persistence, evade detection, and hit programs that safety groups imagine to be strongly remoted.
“Though exploitation requires excessive privileges, the affect is extreme as a result of it compromises virtualisation-based safety itself. Attackers who have already got a foothold might use this flaw to defeat superior defenses, making immediate patching important to preserve belief in Home windows safety boundaries,” he stated.
“If the patch can’t be utilized instantly, limit administrative entry, implement robust privilege administration, and monitor for irregular exercise involving VBS or enclave-related processes.”
