Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
8Critical
105Important
0Moderate
0Low
Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.
Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
8Critical
105Important
0Moderate
0Low
Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.
Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.
This month’s update includes patches for:
Azure Connected Machine Agent
Azure Core shared client library for Python
Capability Access Management Service (camsvc)
Connected Devices Platform Service (Cdpsvc)
Desktop Window Manager
Dynamic Root of Trust for Measurement (DRTM)
Graphics Kernel
Host Process for Windows Tasks
Inbox COM Objects
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Printer Association Object
SQL Server
Tablet Windows User Interface (TWINUI) Subsystem
Windows Admin Center
Windows Ancillary Function Driver for WinSock
Windows Client-Side Caching (CSC) Service
Windows Clipboard Server
Windows Cloud Files Mini Filter Driver
Windows Common Log File System Driver
Windows DWM
Windows Deployment Services
Windows Error Reporting
Windows File Explorer
Windows HTTP.sys
Windows Hello
Windows Hyper-V
Windows Installer
Windows Internet Connection Sharing (ICS)
Windows Kerberos
Windows Kernel
Windows Kernel Memory
Windows Kernel-Mode Drivers
Windows LDAP – Lightweight Directory Access Protocol
Windows Local Security Authority Subsystem Service (LSASS)
Windows Local Session Manager (LSM)
Windows Management Services
Windows Media
Windows NDIS
Windows NTFS
Windows NTLM
Windows Remote Assistance
Windows Remote Procedure Call
Windows Remote Procedure Call Interface Definition Language (IDL)
Windows Routing and Remote Access Service (RRAS)
Windows SMB Server
Windows Secure Boot
Windows Server Update Service
Windows Shell
Windows TPM
Windows Telephony Service
Windows Virtualization-Based Security (VBS) Enclave
Windows WalletService
Windows Win32K – ICOMP
Elevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%.
CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability
CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.
Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
CVE-2026-21265 is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”
Microsoft certificates are stored in the Unified Extensible Firmware Interface (UEFI) Key Enrollment Key (also known as Key Exchange or KEK) and DB. These certificates are reaching their expiration date, so these certificates need to be updated to ensure Secure Boot functionality remains and to prevent future issues from arising. The following are the certificates set to expire in 2026:
Certificate Authority (CA)
Expiration Date
Purpose
Location
Microsoft Corporation KEK CA 2011
June 24, 2026
Signs updates to the DB and DBX
KEK
Microsoft Corporation UEFI CA 2011
June 27, 2026
Signs third party boot loaders, Option ROMs and more
DB
Microsoft Windows Production PCA 2011
October 19, 2026
Signs the Windows Boot Manager
DB
This vulnerability is considered “Publicly Disclosed” because the information about the expiration and the location of these certificates are public.
CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability
CVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as “Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.
Despite being flagged as “Exploitation Less Likely,” Microsoft notes that the Preview Pane is an attack vector for both vulnerabilities, which means exploitation does not require the target to open the file.
CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability
CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.
Tenable Solutions
A list of all the plugins released for Microsoft’s January 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Get more information
Join on Tenable Connect and engage with us in the for further discussions on the latest cyber threats.
Learn more about , the Exposure Management Platform for the modern attack surface.
*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Research Special Operations. Read the original post at: https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805
About Author
