January 2026 Microsoft Patch Tuesday Fixes, 3 Zero-Days & 114 Flaws

Article Overview

• The January 2026 Patch Tuesday from Microsoft covers 114 vulnerabilities, including three zero-days, one of which is currently being exploited in the wild
• The CVE-2026-20805, which is being actively exploited, affects the Desktop Window Manager and could let attackers access sensitive data
• Eight critical vulnerabilities have been patched, most of which are remote code execution and elevation of privilege flaws
• Security experts recommend deploying patches for the actively exploited zero-day vulnerability as a priority
• This month’s update is significantly larger than the release in December 2025, which covered 57 vulnerabilities

Microsoft has released its first security update of 2026, which addresses a significant 114 vulnerabilities across its product range. The January 2026 Patch Tuesday is particularly noteworthy because it includes fixes for three zero-day vulnerabilities, one of which is already being actively exploited by threat actors. Companies are strongly advised to prioritize these updates to protect their systems from potential compromise.

Alert: Critical Patches for Three Zero-Day Vulnerabilities

Zero-day vulnerabilities are among the most serious security risks because they are either publicly known or being actively exploited before a patch is available. The January update from Microsoft addresses three of these, underlining the importance of the company’s security release this month. Check Point, a security monitoring company, has stressed the seriousness of these vulnerabilities and is advising that patches be applied immediately to reduce risk.

Windows Desktop Manager Flaw (CVE-2026-20805) Under Active Exploitation

Among the most urgent vulnerabilities patched this month is CVE-2026-20805, a flaw in the Desktop Window Manager that is currently being exploited by attackers. Despite Microsoft only rating this vulnerability as “Important”, Check Point’s security researchers have upgraded its risk level to “High” due to evidence of active exploitation. This flaw could allow unauthorized individuals to access sensitive system data, which could potentially provide the information necessary for them to compromise the system further or escalate their privileges.

The Desktop Window Manager is a key part of Windows that controls how the user interface looks. This vulnerability is especially worrying because of how important the Desktop Window Manager is to the operating system. Microsoft has not shared the technical details of how the vulnerability is exploited, probably to stop more threat actors from using the flaw while companies apply patches.

Zero-Day Media Handling Vulnerability (CVE-2026-21265) Disclosed Publicly

The second zero-day, CVE-2026-21265, impacts Windows Digital Media components and could give hackers the ability to increase their privileges on systems they’ve compromised. Even though there’s no sign of active exploitation at this point, the vulnerability has been disclosed publicly, making it more likely for hackers to create exploits. This kind of vulnerability is especially risky because it can be used with other attacks to gain more system access.

Attackers have often targeted digital media handling flaws because they can often be triggered by seemingly harmless activities such as opening media files or browsing websites. The elevation of privilege capabilities makes this vulnerability a key element in possible attack chains where initial access is followed by privilege escalation to gain deeper system control.

Probable Backported Solution (CVE-2023-31096)

Unusually, Microsoft has included what seems to be a backported or related solution identified as CVE-2023-31096. The presence of a 2023-dated CVE in the 2026 updates implies this may be a solution to a legacy vulnerability or component that still exists in current systems. Little information has been given about this specific problem, but its inclusion in this month’s critical patch bundle suggests it needs to be dealt with. For more context on recent developments, you might want to check out how Vestavia Hills is planning new developments.

Understanding the 114 Security Flaws of January

The January 2026 Patch Tuesday is a massive security update, with the 114 fixed vulnerabilities scattered across various Microsoft products and services. This is almost twice the number of flaws fixed in the December 2025 update, which fixed 57 vulnerabilities. The significant increase could mean a backlog of fixes or potentially increased discovery rates after year-end security reviews.

57 Privilege Escalation Vulnerabilities

The most significant group of patches deal with privilege escalation vulnerabilities, making up exactly half of the total flaws addressed. These vulnerabilities allow hackers who have already gained some level of access to a system to increase their privileges, possibly achieving admin rights. The fact that these vulnerabilities are primarily found in kernel drivers and management services is particularly worrisome, as these are essential parts of the operating system.

22 Remote Code Execution Vulnerabilities

The January 2026 Microsoft Patch Tuesday update addresses 22 remote code execution (RCE) vulnerabilities, six of which are rated as Critical. These vulnerabilities are some of the most serious threats patched in this update because they could allow attackers to execute malicious code on target systems without needing physical access or significant user interaction. Office applications and Windows services are especially vulnerable to these high-severity issues.

A number of these RCE vulnerabilities impact fundamental Windows components that deal with network traffic or manage files from sources that are not trusted. The severity of these flaws suggests they could possibly be converted into wormable exploits that propagate automatically across networks if they are not patched.

22 Issues of Information Disclosure

Attackers can use vulnerabilities in information disclosure as tools for reconnaissance, revealing sensitive data that can lead to more sophisticated attacks. This month’s patches take care of 22 such flaws, including the actively exploited CVE-2026-20805 in the Desktop Window Manager. These issues are often rated lower in severity than RCE vulnerabilities, but they can be the first step in complex attack chains.

Many of these vulnerabilities, which can disclose information, have an impact on a variety of Windows components. This could potentially expose sensitive memory contents, system configuration details, or authentication information. These leaks could give attackers the valuable information they need to create more targeted exploits for specific environments, similar to how the Pentagon’s adoption of Musk’s Grok AI has raised concerns about security vulnerabilities.

Additional Serious Security Issues

The other vulnerabilities that this update addresses include security feature bypass problems, spoofing vulnerabilities, and denial of service weaknesses. Although these vulnerabilities are less common, they can still present considerable risks, depending on a company’s specific threat profile and system setups. Microsoft has prioritized these fixes based on the likelihood of exploitation and potential effects.

Eight Critical Flaws that Need Urgent Attention

Of the 114 flaws that were patched, Microsoft has marked eight as Critical, which is their highest severity rating. These flaws need urgent attention as they could let attackers fully compromise the affected systems with little user interaction. Six of these Critical issues are remote code execution vulnerabilities, while two are elevation of privilege vulnerabilities.

These Critical vulnerabilities should be on top of the list for security teams to patch since they pose the most serious threats to organizational security. The fact that these flaws can be exploited remotely makes them especially appealing to threat actors who want to infiltrate corporate networks. For example, the recent Pentagon’s adoption of AI highlights the importance of securing remote systems against potential threats.

Security Vulnerabilities in Office Applications

Multiple Critical vulnerabilities have been found in Microsoft Office applications that could let hackers execute harmful code when users open specially designed documents. These vulnerabilities are especially risky in business settings where document sharing is a common occurrence. A hacker could create a harmful document that, when opened, runs code with the same permissions as the user who is currently logged in. For example, a similar situation occurred when an accused individual was identified before a fatal incident, highlighting the importance of cybersecurity in preventing unauthorized access.

These vulnerabilities are usually exploited by sending phishing emails with weaponized attachments to specific targets. Opening these documents can activate the vulnerability, and no further action is needed from the user after the file is initially opened.

LSASS Security Weak Points

The updates of this month include fixes for critical weak points in the Local Security Authority Subsystem Service (LSASS), a crucial Windows component that enforces security rules. Weak points in LSASS can lead to severe problems, potentially enabling attackers to steal credentials or increase privileges on systems that have been compromised. Given the role of LSASS in authentication, these weak points could lead to lateral movement within networks.

LSASS vulnerabilities have a history of being the target of advanced threat actors due to their high potential impact. High-profile attacks like Mimikatz have exploited LSASS in the past to extract credentials, which makes these patches especially important for protecting the integrity of authentication.

Windows Services Vulnerable to Remote Attacks

Microsoft has issued Critical patches for a number of Windows services with network-facing components that are susceptible to remote code execution vulnerabilities. In certain configurations, these services may be exposed to external networks, thereby enabling attackers to send specially crafted packets that trigger code execution. Organizations with Windows servers that face the internet should prioritize these updates to avoid potential compromise.

The weak points include components that manage network protocols and data processing, making them potential gateways for attackers looking to establish a presence in targeted networks. In some instances, successful exploitation wouldn’t necessitate any user interaction, making these vulnerabilities particularly hazardous.

Impacted Microsoft Products and Services

The security update for January affects almost all Microsoft ecosystem, requiring patches across client operating systems, server products, developer tools, and productivity applications. This wide-ranging scope underscores the need to keep a full inventory of deployed Microsoft products to make sure all systems at risk get the necessary updates.

Companies operating hybrid environments are tasked with the additional responsibility of synchronizing patches across on-site systems and cloud services. Microsoft has incorporated comprehensive instructions for every impacted product to support administrators in applying the required security updates across varied deployment scenarios.

A Comparison of This Patch Tuesday to Previous Updates

The Patch Tuesday of January 2026 has seen a substantial rise in the number of vulnerabilities compared to recent months, with 114 flaws being addressed as opposed to 57 in December 2025 and 63 in November 2025. This increase, which is nearly 100%, indicates that Microsoft might have built up a backlog of fixes during the holiday season or increased the pace of its vulnerability research efforts. According to the security firm SentinelOne, this is the biggest single Patch Tuesday release since August 2025.

Three zero-days, one of which is currently being exploited, are included in this patch, continuing a worrying trend from the end of 2025. In December, three zero-days were patched, and in November, one actively exploited vulnerability was addressed. This suggests that advanced threat actors are still finding and using previously unknown vulnerabilities against high-value targets before defences can be put in place.

This month’s update stands out because it focuses on critical vulnerabilities in the main parts of Windows, instead of browser technologies, which were the main focus of critical fixes for most of 2025. This change could mean that attackers are starting to target operating system components more, as browser security gets better.

Analyzing the Trends in Vulnerability

Upon examining the breakdown of vulnerabilities, the percentage of elevation of privilege flaws (50%) is a trend that continues from 2025. This category has been consistently the most common in Microsoft’s monthly patches. The continued presence of these vulnerabilities indicates that attackers are focusing more and more on post-exploitation capabilities. This is where the initial access is followed by escalation of privileges to establish a deeper persistence.

The percentage of patches for remote code execution vulnerabilities has stayed steady at around 20% for the past few months. This suggests that these high-impact issues are being found at a consistent rate. However, the fact that these RCE flaws are now more common in Office applications than in browser components is a change from previous patterns. It also aligns with observed attack trends that focus on document-based initial access vectors.

Trends in Zero-Day Exploits

The Desktop Window Manager vulnerability (CVE-2026-20805) is currently being exploited, and this follows a trend we saw in 2025. Information disclosure vulnerabilities are often the first step in complex attack chains. These types of flaws usually allow attackers to get around address space layout randomization (ASLR) or similar protections. This makes it easier for them to exploit other vulnerabilities to execute code or escalate privileges.

Rolling Out the January 2026 Updates in Your Network

Due to the extensive and serious nature of this month’s security patches, it’s advised that companies adopt a strategic, risk-oriented method for patch rollout. Rapid7, a security company, suggests that companies should first rollout fixes for the zero-day that is currently being exploited (CVE-2026-20805) across all systems. This should be followed by the critical remote code execution vulnerabilities, particularly the ones that impact services facing the internet. This staged method allows security teams to deal with the most urgent threats while also reducing the potential for operational disruptions that could occur from patching across the network all at once.

Enterprise Environment Patch Testing

Before a company-wide rollout, patches should be tested in a controlled environment that is a close representation of production systems. The testing focus should be on applications and services that are critical to the business to identify any potential compatibility issues. For the updates in January 2026, extra focus should be on patches for Office applications because there are several critical vulnerabilities that affect these productivity tools that are used across the board. Test scenarios should be created that specifically target the patched components, especially those that involve file handling, authentication processes, and network communications.

Suggested Schedule for Implementing Fixes

Once you have successfully tested the patches, start to roll them out in phases. Start with your development and test environments before moving on to your production systems. Pay particular attention to your critical internet-facing systems, especially those that are running services with remote code execution vulnerabilities. For the Desktop Window Manager vulnerability, which is currently being exploited, try to get all your Windows systems patched within 48 hours. For the remaining vulnerabilities, try to get them all patched within 14 days, with your critical systems patched within the first week.

How to Check if Your Patch Installation was Successful

Once you’ve deployed the patch, you can use Microsoft’s verification tools or third-party vulnerability scanners to check if the installation was successful. You can use the “Get-Hotfix” PowerShell cmdlet to confirm if specific updates have been installed. You can also check your Windows Update history to see a complete list of patches that have been applied. If you’re in an enterprise environment, you can use Microsoft Endpoint Configuration Manager or a similar management tool to create compliance reports. These reports will show you which systems are missing critical updates. You should also conduct targeted vulnerability scanning. This will help you check the effectiveness of your remediation, especially for systems that face the internet.

Commonly Asked Questions

The January 2026 Patch Tuesday has raised many questions from security teams around the world. Here are the answers to the most frequent questions to help companies get through this major security update, including how teams bolster their defenses against emerging threats.

What is the most dangerous vulnerability in January 2026?

The Desktop Window Manager information disclosure vulnerability, known as CVE-2026-20805, is currently the most dangerous. It’s already being exploited by threat actors, making it a very real threat. Even though it’s technically classified as “Important” rather than “Critical,” the fact that it’s already being used in attacks makes it a high priority. This patch should be the first one you install from the January release because it fixes a vulnerability that we know is being exploited.

Is it possible to install only the zero-day patches?

Yes, it is technically possible to install individual updates. However, security experts advise against this approach. This is because modern attack chains often exploit multiple vulnerabilities in sequence. As a result, partial patching can leave systems vulnerable to these combination attacks.

Should you find yourself unable to fully patch due to resource limitations, first focus on the currently exploited CVE-2026-20805, then take care of the critical remote code execution vulnerabilities. That said, it’s crucial to set a clear timetable for installing the rest of the patches as soon as you can. This will help you avoid leaving security holes that more advanced attackers could spot and take advantage of.

How can I confirm if my systems are at risk from the actively exploited flaws?

For CVE-2026-20805, you should check the version of dwm.exe (Desktop Window Manager) on your systems. Versions that are vulnerable will be older than this month’s update. You can use PowerShell to check the file version with: Get-Item $env:windir\system32\dwm.exe | Select-Object VersionInfo. Additionally, you might want to explore how the Pentagon adopts Musk’s Grok AI for further insights into technological advancements.

Microsoft has also issued detection advice for its security products. Both Microsoft Defender for Endpoint and Microsoft Defender Antivirus have been updated to detect any attempts to exploit this vulnerability.

Vulnerability scanners from third-party vendors such as Tenable, Qualys, and Rapid7 have been updated to detect systems that are vulnerable to the zero-days of January 2026. A targeted scan can be run to quickly identify vulnerable systems in your environment.

• Check security logs for suspicious activity related to Desktop Window Manager (Event ID 4688 with dwm.exe as the process)
• Watch for unusual process creation or access patterns involving system components
• Apply Microsoft’s recommended detection rules to identify potential exploitation attempts
• Turn on enhanced logging on critical systems to capture indicators of compromise
• Think about implementing network traffic analysis to identify command and control communications

What do I do if patching causes compatibility issues?

If patching causes compatibility problems, put Microsoft’s recommended mitigations into place as temporary alternatives while working toward full patch deployment. For the Desktop Window Manager vulnerability, think about restricting user privileges and putting application control policies into place to limit the impact of potential exploitation. Report compatibility issues to Microsoft through official support channels, as they may release revised patches or additional mitigations. Document all systems operating with mitigations rather than patches and put enhanced monitoring into place for these systems to detect potential compromise attempts.

How frequently does Microsoft roll out off-cycle patches for zero-days?

Microsoft usually only rolls out off-cycle patches for the most severe vulnerabilities that are being actively exploited on a large scale. In 2025, Microsoft rolled out four off-cycle patches for zero-day vulnerabilities, which averages out to one per quarter.

When deciding to release an emergency update, the company considers several factors such as how prevalent the exploitation is, how easy it is to exploit, and the potential impact. Microsoft usually includes vulnerabilities discovered close to a scheduled Patch Tuesday in the regular update, unless the exploitation is widespread.