Summary : Microsoft’s in its first Patch Tuesday for January 2026 resolves 113 vulnerabilities across Windows, Office, Azure, and other components. If we compare the patches have seen increase since last patch released in Dec 2025. CVE-2026-20805 is one of the most important of the flaws, an information disclosure vulnerability in Desktop Window Manager, discovered by Microsoft’s own Threat Intelligence and Security Response Centers, with CVSS score 5.5.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-01-13
No. of Patches	113
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

The update includes one actively exploited zero-day (CVE-2026-20805) in Desktop Window Manager (DWM), two publicly disclosed zero-days like CVE-2026-21265 Secure Boot bypass and Critical-rated flaws, including RCE in Office & NTFS. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

• 112 Microsoft CVEs addressed 

• 3 non-Microsoft CVEs addressed (2 Republished) 

Breakdown of January 2026 Vulnerabilities 

• 56 Elevation of Privilege (EoP) 

• 22 Remote Code Execution (RCE) 

• 22 Information Disclosure 

• 2 Denial of Service (DoS) 

• 3 Security Feature Bypass 

• 5 Spoofing  

• 3 Tampering 

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Desktop Window Manager Information Disclosure Vulnerability (Zero-Day, Exploited in Wild)	CVE-2026-20805	Windows 10, 11, Server (DWM)	High	5.5
Microsoft Office Remote Code Execution Vulnerability	CVE-2026-20953	Microsoft Office (Excel/Word)	High	8.4
Windows NTFS Remote Code Execution Vulnerability	CVE-2026-20840	Windows NTFS	High	7.8
Windows VBS Enclave Elevation of Privilege Vulnerability	CVE-2026-20876	Windows Virtualization-Based Security	Medium	6.7
Secure Boot Certificate Expiration Security Feature Bypass (Publicly Disclosed Zero-Day)	CVE-2026-21265	Windows Secure Boot	Medium	6.4

Technical Summary 

Microsoft’s January 2026 Patch Tuesday fixes 113 flaws, including one exploited zero-day in Desktop Window Manager that leaks memory addresses, aiding ASLR bypass and chaining with other exploits. Two more zero-days address Secure Boot certificate expirations and remove vulnerable third-party modem drivers. Critical remote code execution issues affect Office (exploitable via preview pane) and NTFS (heap overflows), while a virtualization security enclave flaw enables deep system persistence. Admins and users must patch immediately so attackers can’t exploit the vulnerability to compromise the system. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-20805	Desktop Window Manager	Leaks user-mode memory (ALPC port addresses) for local info disclosure (Exploited in Wild)	Information Disclosure
CVE-2026-20952 / CVE-2026-20953	Microsoft Office	RCE via malicious docs, exploitable in preview pane	Remote Code Execution
CVE-2026-20840 / CVE-2026-20922	Windows NTFS	Heap-based buffer overflows for arbitrary code execution	Security Feature Bypass
CVE-2026-20876	Windows VBS Enclave	EoP to VTL2 privileges, subverts security boundaries	Elevation of Privilege
CVE-2026-21265	Windows Secure Boot	Certificate expiration allows bypass	Elevation of Privilege

Key Affected Products and Services 

The January 2026 updates address vulnerabilities across: 

• Windows Core Components 

Kernel, NTFS, DWM, Hyper-V, Kerberos, RRAS, SMB, WinSock  

• Microsoft Office Suite 

Excel, Word, SharePoint; RCE via docs/preview  

• Azure & Cloud Services 

Connected Machine Agent, Core library  

• Graphics Components 

DWM, Graphics Kernel  

• Drivers & Services 

Agere Modem removal, HTTP.sys, ICS 

• Developer/Other 

Windows Admin Center, SQL Server, WalletService 

Remediation: 

• Install the January 2026 Microsoft security updates immediately across all systems. 

Here are some recommendations below  

• Monitor IoCs for DWM memory leaks, ALPC anomalies, Secure Boot failures, or unusual driver loads. 

• Enroll Windows 10 ESU; remove legacy Agere drivers if not auto-removed. 

• Enforce least-privilege, segment networks, disable unused services (e.g.- RRAS). 

• Deploy EDR/SIEM for kernel/Office activity detection. 

Conclusion: 
Microsoft’s January 2026 Patch Tuesday resolves 113 vulnerabilities, including one exploited zero-day in DWM, Secure Boot bypasses, driver removals, and Critical RCE/EoP in Office, NTFS, VBS. With confirmed wild exploitation and memory leaks enabling chained attacks, prioritize patching to block ransomware, persistence, and evasion in enterprise environments. 

References: 

• https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan 

• https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html