Microsoft has unleashed its monthly barrage of security updates, patching a staggering 113 vulnerabilities across its Windows operating systems and a suite of supported software. Of particular concern, eight of these flaws have been classified as "critical," with Microsoft explicitly warning that one of these vulnerabilities is already being actively exploited in the wild. This proactive disclosure underscores the urgency with which organizations must approach the January 2026 Patch Tuesday rollout.

The headline vulnerability this month, identified as CVE-2026-20805, is a flaw within the Desktop Window Manager (DWM). DWM plays a crucial role in how Windows displays and manages graphical elements on a user’s screen. While Microsoft has assigned this vulnerability a moderate CVSS score of 5.5, Kev Breen, senior director of cyber threat research at Immersive, highlighted the critical nature of its active exploitation. "Despite its middling CVSS score, Microsoft’s confirmation of active exploitation in the wild is a stark warning," Breen stated. "This indicates that threat actors are already leveraging this flaw against organizations, making prompt patching paramount."

Breen further elaborated on the potential impact of CVE-2026-20805, explaining that vulnerabilities of this nature are frequently employed to bypass Address Space Layout Randomization (ASLR). ASLR is a fundamental security mechanism in modern operating systems designed to thwart memory-manipulation exploits like buffer overflows by randomizing the memory locations of key program components. "By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack," Breen explained. He also noted Microsoft’s limited disclosure regarding other components potentially involved in such exploit chains, which significantly hinders defenders’ ability to proactively hunt for related malicious activity. "As a result, rapid patching currently remains the only effective mitigation," he concluded.

Chris Goettl, vice president of product management at Ivanti, echoed Breen’s sentiment, emphasizing that CVE-2026-20805 impacts all currently supported and extended security update-supported versions of the Windows OS. Goettl cautioned against dismissing the severity of this flaw based solely on its "Important" rating and relatively low CVSS score. "A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned," he advised. This perspective suggests that the practical implications and potential impact of a vulnerability, especially when actively exploited, should heavily influence its prioritization, even if its technical severity score appears moderate.

Beyond the actively exploited zero-day, Microsoft has also addressed two critical remote code execution vulnerabilities in Microsoft Office, CVE-2026-20952 and CVE-2026-20953. The alarming aspect of these flaws is their potential to be triggered simply by viewing a specially crafted email message within the application’s Preview Pane, a common and often automatic user action. This ease of exploitation makes these vulnerabilities particularly dangerous, as they can be weaponized with minimal user interaction.

In a concerning development that echoes a similar situation from October 2025, Microsoft has once again removed legacy modem drivers from Windows due to ongoing security concerns. Adam Barnett at Rapid7 pointed out that Microsoft has taken this action for a "broadly similar reason" to a previous instance where a modem driver vulnerability was exploited by attackers. This time, the focus is on CVE-2023-31096, an elevation of privilege vulnerability in a very similar modem driver for which Microsoft is aware of functional exploit code. "That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher," Barnett stated. "Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades." Barnett further noted that while the removal of these drivers might go unnoticed by most users, they could still be present in niche environments, including some industrial control systems.

Barnett raised two critical questions regarding these legacy drivers: "How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying ‘living off the land[line] by exploiting an entire class of dusty old device drivers?’" He clarified that even without a modem physically connected, the mere presence of the vulnerable driver is sufficient to expose a system to risk. While Microsoft does not claim evidence of active exploitation for CVE-2023-31096, the prior public write-up and the recent removal of a related modem driver provide strong indicators for potential exploit development.

Another critical vulnerability drawing significant attention from Immersive, Ivanti, and Rapid7 is CVE-2026-21265, a Security Feature Bypass affecting Windows Secure Boot. Secure Boot is a vital security feature designed to protect systems from malicious software like rootkits and bootkits by ensuring that only trusted software is loaded during the boot process. The vulnerability arises from the fact that the certificates underpinning this security feature are set to expire in June and October 2026. Once these certificates expire, Windows devices not updated with newer certificates (specifically, the 2023 replacement certificates) will no longer be able to receive crucial Secure Boot security fixes, potentially leaving them vulnerable.

Barnett issued a stern caution regarding the remediation of Secure Boot vulnerabilities, emphasizing the importance of meticulous planning. "When updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system," he advised. He highlighted the longevity of the root certificates used in the Secure Boot ecosystem, which have been in place since the era of Stuxnet. "Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet," Barnett remarked. He reminded readers that Microsoft had indeed issued replacement certificates in 2023, alongside patches for CVE-2023-24932, which addressed the Secure Boot bypass exploited by the BlackLotus bootkit.

The scope of this Patch Tuesday extends beyond Microsoft products. Goettl noted that Mozilla has released updates for Firefox and Firefox ESR, addressing a total of 34 vulnerabilities. Two of these are suspected to be under active exploitation: CVE-2026-0891 and CVE-2026-0892. Both are resolved in Firefox 147 (MFSA2026-01), with CVE-2026-0891 also addressed in Firefox ESR 140.7 (MFSA2026-03).

Looking ahead, Goettl anticipates updates for Google Chrome and Microsoft Edge to be released this week. He also highlighted a high-severity vulnerability in Chrome WebView, CVE-2026-0628, which was already resolved in the January 6th Chrome update.

For a detailed breakdown of each patch by severity and urgency, the SANS Internet Storm Center provides a comprehensive summary. System administrators are also advised to monitor askwoody.com for any potential issues or incompatibilities that may arise with the January updates. Users experiencing any difficulties during the installation of these patches are encouraged to report them in the comments section of relevant security news outlets. The January 2026 Patch Tuesday serves as a critical reminder of the continuous and evolving threat landscape, demanding swift and decisive action from all users and organizations to maintain robust security postures.