Microsoft has once again unleashed its monthly barrage of security updates, dubbed "Patch Tuesday," for January 2026, addressing a staggering 113 vulnerabilities across its vast ecosystem of Windows operating systems and supported software. This significant release includes eight "critical" vulnerabilities, underscoring the urgency for immediate action, especially as Microsoft confirms that at least one of these critical flaws is already under active exploitation by malicious actors. The ongoing battle against cyber threats necessitates a vigilant approach, and this month’s Patch Tuesday highlights the ever-present dangers lurking in the digital realm.

The headline zero-day vulnerability for January 2026, identified as CVE-2026-20805, stems from a flaw within the Desktop Window Manager (DWM). DWM is a fundamental component of Windows, responsible for orchestrating how windows are displayed and managed on a user’s screen. Despite Microsoft assigning this vulnerability a moderate CVSS score of 5.5, its confirmed active exploitation in the wild is a grave concern. Kev Breen, senior director of cyber threat research at Immersive, emphasizes that threat actors are actively leveraging this flaw, indicating a clear and present danger to organizations worldwide.

Breen further elaborates on the insidious nature of CVE-2026-20805, explaining that vulnerabilities of this type are frequently employed to circumvent Address Space Layout Randomization (ASLR). ASLR is a critical operating system security control designed to thwart memory-manipulation attacks, such as buffer overflows, by randomly arranging the memory locations of key data areas. By revealing the precise memory addresses where code resides, CVE-2026-20805 can be chained with other, separate code execution vulnerabilities. This potent combination transforms what would typically be a complex and unreliable exploit into a practical and repeatable attack vector. The lack of disclosure from Microsoft regarding other components that might be involved in such an exploit chain significantly hinders defenders’ ability to proactively hunt for related malicious activity. Consequently, Breen stresses that rapid patching remains the sole effective mitigation strategy against this particular threat.

Chris Goettl, vice president of product management at Ivanti, echoes the sentiment of urgency, noting that CVE-2026-20805 impacts all currently supported and extended security update-supported versions of the Windows operating system. Goettl cautions against complacency, asserting that it would be a significant misstep to underestimate the severity of this flaw based on its "Important" rating and relatively low CVSS score. He advocates for a risk-based prioritization methodology, which would necessitate treating this vulnerability as having a higher severity than its vendor rating or CVSS score might initially suggest.

Beyond the zero-day, this month’s Patch Tuesday also addresses two critical Microsoft Office remote code execution vulnerabilities: CVE-2026-20952 and CVE-2026-20953. The alarming aspect of these flaws is their ease of exploitation; they can be triggered simply by viewing a specially crafted, booby-trapped message within the Office application’s Preview Pane. This makes them particularly dangerous, as a casual user could inadvertently fall victim without even opening the malicious document.

In a concerning development that echoes a similar situation from October 2025’s Patch Tuesday, Microsoft has once again removed a pair of modem drivers from Windows. Adam Barnett from Rapid7 explains that this drastic measure is being taken due to the discovery of functional exploit code for an elevation of privilege vulnerability within a highly similar modem driver, tracked as CVE-2023-31096. This is not a recent discovery; Barnett points out that this vulnerability was initially published by MITRE over two years ago, accompanied by a credible public write-up from the original researcher. The drivers being removed are agrsm64.sys and agrsm.sys. Intriguingly, all three of these problematic modem drivers were originally developed by the same now-defunct third-party vendor and have been embedded within Windows for decades. While the removal of these drivers will likely go unnoticed by the majority of users, Barnett highlights that active modems utilizing them might still be found in niche environments, including some industrial control systems.

Barnett poses two critical questions that linger in the wake of this driver removal: how many more legacy modem drivers remain present on a fully patched Windows asset, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft completely severs the lifeline for attackers who have been effectively "living off the land" by exploiting this class of antiquated device drivers? He clarifies that even without direct evidence of exploitation for CVE-2023-31096, the earlier write-up and the 2025 removal of another Agere modem driver serve as strong indicators for those actively seeking Windows exploits. Furthermore, Barnett emphasizes a crucial point: a modem does not need to be physically connected for an asset to be vulnerable; the mere presence of the driver is sufficient to create an exploitable attack surface.

The security firms Immersive, Ivanti, and Rapid7 have collectively drawn attention to CVE-2026-21265, a critical Security Feature Bypass vulnerability impacting Windows Secure Boot. Secure Boot is a vital security mechanism designed to safeguard systems against sophisticated threats like rootkits and bootkits by ensuring that only trusted software loads during the startup process. This feature relies on a set of digital certificates for authentication. The critical issue arises because the current root certificates are slated for expiration in June 2026 and October 2026. Once these 2011-era certificates expire, Windows devices that have not been updated with newer 2023 certificates will no longer be able to receive essential Secure Boot security fixes, potentially leaving them exposed.

Barnett offers a stern warning regarding the process of updating bootloaders and BIOS. He stresses the paramount importance of thorough preparation before attempting such updates, emphasizing the need to understand the specific OS and BIOS combination being worked with. Incorrect remediation steps, he cautions, can lead to an unbootable system, rendering the device inoperable. He notes that fifteen years is an exceptionally long time in the fast-paced world of information security, and the clock is indeed ticking for the Microsoft root certificates that have underpinned the Secure Boot ecosystem since the days of the Stuxnet attack. Microsoft did release replacement certificates in 2023, alongside patches addressing CVE-2023-24932, which covered relevant Windows updates and subsequent steps to remediate the Secure Boot bypass exploited by the notorious BlackLotus bootkit.

Beyond Microsoft’s offerings, Goettl highlights that Mozilla has also released updates for Firefox and Firefox ESR, addressing a total of 34 vulnerabilities. Notably, two of these vulnerabilities, CVE-2026-0891 and CVE-2026-0892, are suspected of being actively exploited. Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is also addressed in Firefox ESR 140.7 (MFSA2026-03). Goettl anticipates that Google Chrome and Microsoft Edge will also release their respective updates this week. He specifically points to a high-severity vulnerability in Chrome WebView, CVE-2026-0628, which was already resolved in the January 6th Chrome update.

As is customary, the SANS Internet Storm Center provides a detailed per-patch breakdown, categorized by severity and urgency, offering valuable insights for IT professionals. Windows administrators are also advised to monitor askwoody.com for any emerging news regarding potential compatibility issues or unforeseen problems arising from the January updates. Users who encounter any difficulties during the installation of this month’s patches are encouraged to share their experiences in the comments section of relevant security news outlets.