Microsoft has today unleashed a substantial security update, addressing a staggering 113 vulnerabilities across its Windows operating systems and associated software. This release is particularly noteworthy due to the presence of eight "critical" vulnerabilities, with Microsoft issuing a stern warning that at least one of these flaws is already under active exploitation by malicious actors. The urgency of this patch cycle cannot be overstated, as it tackles a range of issues from actively exploited zero-days to critical code execution flaws and long-standing vulnerabilities in legacy components.

The headline zero-day vulnerability for January 2026, designated as CVE-2026-20805, stems from a flaw within the Desktop Window Manager (DWM). Kev Breen, senior director of cyber threat research at Immersive, highlighted that while this vulnerability received a moderate CVSS score of 5.5, Microsoft’s confirmation of its active exploitation in the wild signifies a significant threat. Breen elaborated that such vulnerabilities are frequently employed to circumvent Address Space Layout Randomization (ASLR), a fundamental security mechanism designed to prevent memory-based attacks. "By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack," Breen explained. He further cautioned that Microsoft’s limited disclosure regarding potential exploit chains significantly hinders defenders’ ability to proactively identify related malicious activity, underscoring the critical importance of immediate patching.

Chris Goettl, vice president of product management at Ivanti, echoed the sentiment of urgency, noting that CVE-2026-20805 impacts all currently supported and extended security update versions of Windows. Goettl stressed that organizations should not be lulled into a false sense of security by the vulnerability’s "Important" rating and relatively low CVSS score, advising that a risk-based prioritization methodology would warrant treating this vulnerability with a higher severity than its vendor rating suggests.

Beyond the zero-day, this month’s critical patches include two significant remote code execution vulnerabilities in Microsoft Office, identified as CVE-2026-20952 and CVE-2026-20953. These flaws are particularly insidious, as they can be triggered simply by viewing a maliciously crafted message within the Outlook Preview Pane, a common and often overlooked user interaction. The ease with which these vulnerabilities can be exploited makes them a prime target for widespread phishing and targeted attacks.

In a move reminiscent of the October 2025 Patch Tuesday, where a modem driver was removed due to exploitation, Microsoft has once again taken action against legacy modem drivers. Adam Barnett from Rapid7 revealed that two more modem drivers, agrsm64.sys and agrsm.sys, have been removed from Windows. This action is linked to a privilege escalation vulnerability, CVE-2023-31096, for which functional exploit code is known to exist. Barnett pointed out the unusual nature of this fix, noting that the vulnerability was originally disclosed over two years ago. He explained that all three affected modem drivers were developed by the same defunct third-party and have been included in Windows for decades. While the removal of these drivers will likely go unnoticed by the majority of users, Barnett warned that they might still be present in specific environments, including some industrial control systems.

Barnett raised two pertinent questions regarding these legacy drivers: the number of other antiquated modem drivers potentially still residing on fully patched Windows systems, and the likelihood of further elevation-of-privilege vulnerabilities emerging from this "entire class of dusty old device drivers." He clarified that active exploitation of CVE-2023-31096 has not been officially confirmed by Microsoft, but the prior disclosure of the vulnerability and the recent removal of a similar Agere modem driver serve as strong indicators for threat actors. Crucially, Barnett emphasized that the mere presence of these drivers, irrespective of whether a physical modem is connected, is sufficient to render a system vulnerable.

All three security firms – Immersive, Ivanti, and Rapid7 – collectively drew attention to CVE-2026-21265, a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This crucial security feature is designed to safeguard systems against sophisticated threats like rootkits and bootkits by verifying the integrity of the boot process. The vulnerability is exacerbated by the impending expiration of a set of root certificates in June and October 2026. Following these expirations, Windows devices that have not been updated with newer 2023 certificates will be unable to receive further Secure Boot security fixes, creating a significant security gap.

Barnett offered a cautionary note regarding the process of updating bootloaders and BIOS, stressing the absolute necessity of thorough preparation for specific OS and BIOS combinations to avoid rendering systems unbootable. He reflected on the long lifespan of the Microsoft root certificates, which have been integral to the Secure Boot ecosystem since the era of the Stuxnet worm. Microsoft had previously issued replacement certificates in 2023, coinciding with patches for CVE-2023-24932, which addressed vulnerabilities exploited by the BlackLotus bootkit.

In the realm of third-party software, Chris Goettl reported that Mozilla has released updates for Firefox and Firefox ESR, patching a total of 34 vulnerabilities. Notably, two of these vulnerabilities (CVE-2026-0891 and CVE-2026-0892) are suspected to be under active exploitation. Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is also addressed in Firefox ESR 140.7 (MFSA2026-03). Goettl anticipates that Google Chrome and Microsoft Edge will also release updates this week, with a specific mention of a high-severity vulnerability in Chrome WebView (CVE-2026-0628) that was patched in the January 6th Chrome update.

For those seeking a detailed breakdown of the January 2026 Patch Tuesday releases, the SANS Internet Storm Center provides a comprehensive per-patch analysis categorized by severity and urgency. System administrators are also advised to monitor askwoody.com for any potential news or advisories regarding compatibility issues with the newly released patches. Users experiencing any difficulties during the installation of the January updates are encouraged to share their experiences in the comments section of relevant security news outlets.