Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability it announced was being actively exploited in the wild.
Of the 114 deficiencies, 8 are rated as critical and 106 are rated as important. As many as 58 vulnerabilities were classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and 5 impersonation flaws. The update is Tuesday’s third-largest January patch, behind January 2025 and January 2022, according to data collected by Fortra.
These patches are in addition to two security flaws that Microsoft has addressed in the Edge browser since the release of the December 2025 Patch Tuesday update: Android app spoofing flaw (CVE-2025-65046, 3.1) and Chromium’s WebView tag insufficient policy enforcement case (CVE-2026-0628, CVSS score: 8.8) Contains.
The vulnerability being exploited in the wild is CVE-2026-20805 (CVSS score: 5.5), which is an information disclosure flaw affecting desktop window managers. Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) are credited with identifying and reporting this flaw.
“Sensitive information exposed to an unauthorized attacker in Desktop Windows Manager (DWM) may allow an authorized attacker to disclose the information locally,” Microsoft said in an advisory. “The type of information that could be exposed if an attacker were to successfully exploit this vulnerability is the section address, or user mode memory, from the remote ALPC port.”
At this time, details about how this vulnerability is exploited, its scale, and who is behind the activity are unknown.
“DWM is responsible for drawing everything on a Windows system’s display, which means nearly every process needs to display something, so DWM provides an attractive combination of privileged access and universal availability,” Adam Barnett, principal software engineer at Rapid7, said in a statement. “In this case, the exploit could result in inappropriate disclosure of ALPC port section addresses, which are sections of user-mode memory that coordinate various operations between Windows components.”
Microsoft previously addressed a DWM zero-day flaw (CVE-2024-30051, CVSS score: 7.8) that was actively exploited in May 2024. This was described as a privilege escalation flaw that was exploited by multiple threat actors in connection with the distribution of QakBot and other malware families. Satnam Narang, senior staff research engineer at Tenable, called DWM a “frequent user” on Patch Tuesday, with 20 CVEs patched in the library since 2022.
Jack Beisser, Director of Vulnerability Research at Action1, said the vulnerability could be exploited by a locally authenticated attacker to disclose information or defeat Address Space Layout Randomization (ASLR) and other defenses.
“These types of vulnerabilities are often used to undermine address space layout randomization (ASLR), a core security control in operating systems designed to protect against buffer overflows and other memory manipulation exploits,” Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News.
“By revealing where the code resides in memory, this vulnerability can chain with other code execution flaws, turning a complex and unreliable exploit into a practical, repeatable attack.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch (FCEB) agencies to apply the latest fix by February 3, 2026.
Another notable vulnerability involves bypassing security features that affect the expiration of secure boot certificates (CVE-2026-21265, CVSS score: 6.4), which could allow an attacker to compromise a critical security mechanism that ensures that firmware modules come from trusted sources and prevents malware from running during the boot process.
In November 2025, Microsoft announced that three Windows Secure Boot certificates issued in 2011 would expire in June 2026 and encouraged customers to update to the 2023 version.
Microsoft Corporation KEK CA 2011 (June 2026) – Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX) Microsoft Windows Production PCA 2011 (October 2026) – Windows UEFI CA 2023 (for signing Windows boot loaders) Microsoft UEFI CA 2011 (June 2026) – Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs)
“Secure Boot certificates used by most Windows devices are scheduled to expire starting in June 2026, which could impact the ability of certain personal and business devices to boot securely if they are not updated in time,” Microsoft said. “To avoid confusion, we encourage you to review the guidance and take steps to renew your certificates in advance.”
The Windows maker also noted that the latest update removes the Agere soft modem drivers “agrsm64.sys” and “agrsm.sys” that were shipped natively with the operating system. Third-party drivers are susceptible to a two-year-old local privilege escalation flaw (CVE-2023-31096, CVSS score: 7.8) that could allow an attacker to gain SYSTEM privileges.
In October 2025, Microsoft took steps to remove another Agere modem driver called ltmdm64.sys after a privilege escalation vulnerability (CVE-2025-24990, CVSS score: 7.8) was exploited in the wild that could allow an attacker to gain administrative privileges.
CVE-2026-20876 (CVSS score: 6.7) should also be high on your priority list. This is a privilege escalation flaw in Windows Virtualization-Based Security (VBS) enclaves that is rated Critical and allows an attacker to gain Virtual Trust Level 2 (VTL2) privileges and use them to subvert security controls, establish deep persistence, and evade detection.
“It penetrates the security perimeter designed to protect Windows itself, allowing attackers to penetrate one of the system’s most trusted execution layers,” said Mike Walters, co-founder and president of Action1.
“While exploitation requires high privileges, the impact is severe because virtualization-based security itself is compromised. Attackers who have already established a foothold could use this flaw to defeat advanced defenses, and rapid patching is essential to maintaining trust in the Windows security perimeter.”
Software patches from other vendors
In addition to Microsoft, other vendors have also released security updates since the beginning of this month to fix several vulnerabilities, including:
ABB Adobe Amazon Web Services AMD Arm ASUS Broadcom (includes VMware) Cisco ConnectWise Dassault Systèmes D-Link Dell Devolutions Drupal Elastic F5 Fortinet Fortra Foxit Software FUJIFILM Gigabyte GitLab Google Android and Pixel Google Chrome Google Cloud Grafana Hikvision HP HP Enterprise (includes Aruba Networking and Juniper Networks) IBM Imagination Technologies Lenovo Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitel Mitsubishi Electric MongoDB Moxa Mozilla Firefox and Firefox ESR n8n NETGEAR Node.js NVIDIA ownCloud QNAP Qualcomm Ricoh Samsung SAP Schneider Electric ServiceNow Siemens SolarWinds SonicWall Sophos Spring Framework Synology TP-Link Trend Micro, and Veeam
Source link
