Pradipta eManuel
Microsoft has unleashed its January 2026 Patch Tuesday, addressing a significant wave of at least 113 security vulnerabilities across its Windows operating systems and supported software. A concerning eight of these flaws have been classified as "critical," and Microsoft has confirmed that attackers are already actively exploiting one of these newly disclosed bugs. This month’s update underscores the relentless pace of cybersecurity threats and the vital importance of prompt patching for all organizations and individuals.
The primary focus of concern this month is a zero-day vulnerability, identified as CVE-2026-20805, which resides within the Desktop Window Manager (DWM). DWM is a fundamental component of Windows responsible for rendering and managing the visual display of windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, highlighted that despite Microsoft assigning CVE-2026-20805 a moderate CVSS score of 5.5, the confirmation of its active exploitation in the wild is a stark warning. This indicates that malicious actors have already identified and are leveraging this flaw to compromise systems.
Breen elaborated on the potential impact of CVE-2026-20805, explaining that vulnerabilities of this nature are frequently employed to undermine Address Space Layout Randomization (ASLR). ASLR is a crucial security mechanism within operating systems designed to prevent memory-manipulation exploits like buffer overflows by randomly arranging the memory locations of key data and code segments. "By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack," Breen stated. He further noted that Microsoft’s limited disclosure regarding which other components might be involved in such an exploit chain significantly hampers defenders’ ability to proactively detect related malicious activity. Consequently, Breen emphasized that rapid patching remains the sole effective immediate mitigation strategy.
Chris Goettl, vice president of product management at Ivanti, echoed these concerns, pointing out that CVE-2026-20805 affects all currently supported and extended security update-supported versions of the Windows operating system. Goettl cautioned against complacency, stating that it would be a misjudgment to underestimate the severity of this flaw based solely on its "Important" rating and relatively low CVSS score. "A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned," he advised, underscoring the need for organizations to conduct their own risk assessments and prioritize patching accordingly.
Beyond the actively exploited zero-day, this month’s Patch Tuesday also addresses two critical Microsoft Office remote code execution vulnerabilities, CVE-2026-20952 and CVE-2026-20953. These bugs are particularly insidious as they can be triggered simply by viewing a specially crafted email message within the Outlook Preview Pane, requiring no direct user interaction beyond opening the message. This highlights the persistent threat posed by sophisticated phishing and social engineering tactics, where even passive interaction can lead to a system compromise.
In a move reminiscent of a similar action taken in October 2025, where a modem driver was removed due to exploitation, Microsoft has once again retired a couple of legacy modem drivers from Windows. Adam Barnett from Rapid7 explained that this decision stems from Microsoft’s awareness of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096. "That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher," Barnett remarked. The drivers being removed are agrsm64.sys and agrsm.sys, which, along with the previously removed driver, were developed by the same now-defunct third-party and have been integrated into Windows for decades. While Barnett suggests these removals will likely go unnoticed by most users, he acknowledges that active modems might still be found in specific environments, including some industrial control systems, posing a continued risk.
Barnett posed two critical questions regarding these legacy drivers: how many more such drivers remain embedded within fully patched Windows systems, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft definitively removes the attack surface that allows threat actors to "live off the land" by exploiting these outdated components. He further clarified that even without direct evidence of exploitation for CVE-2023-31096, the preceding write-up and the removal of a similar Agere modem driver in 2025 serve as strong indicators for threat hunters. Crucially, Barnett pointed out that the mere presence of the driver, irrespective of whether a physical modem is connected, is sufficient to render a system vulnerable.
Immersive, Ivanti, and Rapid7 all drew attention to CVE-2026-21265, a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. Secure Boot is a vital security feature designed to thwart sophisticated threats like rootkits and bootkits by ensuring that only trusted software loads during the system’s startup process. The vulnerability is linked to a set of certificates that are slated to expire in June 2026 and October 2026. Once these older certificates expire, Windows devices that haven’t been updated with newer 2023 certificates will be unable to receive crucial Secure Boot security fixes, potentially leaving them exposed.
Barnett issued a strong caution regarding the remediation process for this vulnerability, emphasizing the critical need for thorough preparation before updating the bootloader and BIOS. He stressed the importance of understanding the specific OS and BIOS combination, as incorrect remediation steps can lead to an unbootable system, causing significant operational disruption. "Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet," Barnett observed. He reminded readers that Microsoft had released replacement certificates in 2023, alongside patches for CVE-2023-24932, which addressed the Windows vulnerabilities and provided subsequent steps to mitigate the Secure Boot bypass exploited by the notorious BlackLotus bootkit.
On the broader software landscape, Goettl highlighted that Mozilla has also released updates for Firefox and Firefox ESR, patching a total of 34 vulnerabilities. Notably, two of these vulnerabilities, CVE-2026-0891 and CVE-2026-0892, are suspected to be under active exploitation. Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is also addressed in Firefox ESR 140.7 (MFSA2026-03).
Goettl anticipates that Google Chrome and Microsoft Edge updates will be released this week, alongside the resolution of a high-severity vulnerability in Chrome WebView that was patched in the January 6th Chrome update (CVE-2026-0628).
As is customary, the SANS Internet Storm Center provides a detailed per-patch breakdown, categorizing them by severity and urgency, which is an invaluable resource for IT administrators. Furthermore, Windows administrators are advised to monitor askwoody.com for any reports of compatibility issues or unexpected behavior arising from the January updates. In the event of any difficulties encountered during the installation of this month’s patches, users are encouraged to share their experiences in the comments section of relevant security news outlets. The January 2026 Patch Tuesday serves as a potent reminder of the continuous cybersecurity battle, demanding vigilance and proactive management from all stakeholders.
