News
Zero-Day Attack Drives 113-Vulnerability Patch Tuesday Release to Start 2026
Microsoft rang in 2026 with its biggest January Patch Tuesday rollout in four years, shipping fixes for 113 vulnerabilities across Windows, Office and other products. The release addresses eight critical flaws and includes one zero-day bug that is already being actively exploited.
The zero-day, CVE-2026-20805, is an information disclosure vulnerability in the Desktop Window Manager. It allows attackers to leak memory addresses through a remote ALPC port. Information disclosure bugs are not exploited as often as remote code execution flaws, but security researchers say vulnerabilities like this are often used as stepping stones in more complex, multi-stage attacks.
"It's a bit unusual to see an information disclosure bug exploited in the wild, but that's what we have here," said Dustin Childs of the Zero Day Initiative. "Presumably, threat actors would then use the address in the next stage of their exploit chain -- probably gaining arbitrary code execution."
Microsoft provided no details about the scope of attacks exploiting this hole, though Childs noted they are likely limited based on the source of the threat intelligence.
Tyler Reguly, associate director of security R&D at Fortra, said CISOs should pay close attention to another vulnerability this month beyond the active zero-day. CVE-2026-21265, a Secure Boot certificate expiration flaw, could cause major disruptions if not addressed before certificates expire in June.
"When the Secure Boot certificates expire in June of this year, organizations that haven't prepared will not only find Secure Boot no longer operational, but they may also find that Windows boot manager and Secure Boot vulnerabilities have become an issue," Reguly said.
Microsoft published guidance on the certificate expiration in June 2025, including a deployment playbook aimed at IT professionals. With less than six months left, organizations are running out of time to prepare for the update.
Eight Critical Vulnerabilities for January
In addition to the zero-day, Microsoft identified eight vulnerabilities as critical, all rated for their ability to enable remote code execution or privilege escalation without user interaction.
Two of those critical issues, CVE-2026-20952 and CVE-2026-20953, affect Microsoft Office and can be exploited through Outlook's Preview Pane. The flaws allow attackers to run code without any action from the victim. Both are use-after-free memory vulnerabilities with CVSS scores of 8.4.
"This vulnerability allows attackers to weaponize everyday Office content, potentially executing malicious code without a single click," said Jack Bicer, director of vulnerability research at Action1, referring to CVE-2026-20953.
The Office flaws are the latest in a string of Preview Pane vulnerabilities Microsoft has patched throughout 2025. Security teams are being encouraged to disable the Preview Pane where feasible and to restrict how Office handles files from untrusted sources.
One of the most serious issues this month is CVE-2026-20854, a remote code execution flaw in the Windows Local Security Authority Subsystem Service. Because the service underpins Windows authentication, a successful exploit could allow attackers to steal credentials, move laterally across networks and potentially compromise an entire domain.
"LSASS is a high-value target because it handles credentials and authentication," said Alex Vovk, CEO and co-founder of Action1. "Compromise of this service can result in credential theft, lateral movement, domain-wide compromise and prolonged attacker persistence."
Two additional critical elevation-of-privilege vulnerabilities round out the top-priority patches. CVE-2026-20822 affects the Windows Graphics Component and CVE-2026-20876 targets Windows Virtualization-Based Security Enclave. Both could allow attackers to gain SYSTEM-level access.
Mike Walters, president and co-founder of Action1, said the VBS Enclave vulnerability breaks security boundaries designed to protect Windows itself.
"This vulnerability poses a serious risk for organizations relying on VBS to protect credentials, secrets and sensitive workloads," Walters said. "If exploited, attackers could bypass advanced security controls, establish deep persistence, evade detection and compromise systems that are assumed to be strongly isolated."
The remaining critical vulnerabilities include CVE-2026-20955 and CVE-2026-20957 in Excel, and CVE-2026-20944 in Word.
January Release Breaks Recent Trends
With 113 CVEs fixed, January 2026 stands as the third-largest January Patch Tuesday since Microsoft adopted its current security guidance system in 2017. Only January 2025, with 162 CVEs, and January 2022, which had 127, were larger.
"This is also only the third time that we've seen more than 100 CVEs under the security guidance system," Reguly said. "We're sitting above the average 89 CVEs that we've seen over the nine January Patch Tuesdays under the new system."
The spike also reflects a wider industry pattern. Reported vulnerabilities increased 12 percent in 2025 compared with 2024, continuing an upward trend in disclosed security flaws that shows no sign of slowing.
In addition to the critical and zero-day patches, Microsoft addressed numerous elevation-of-privilege vulnerabilities across Windows Management Services, multiple information disclosure bugs and several security feature bypass issues.
One notable patch involves CVE-2023-31096, a three-year-old vulnerability in the Windows Agere Soft Modem Driver. Rather than fix the driver, which has been end-of-life since 2016, Microsoft is removing it entirely from affected systems.
Updates are available now through Windows Update, Windows Server Update Services and the Microsoft Update Catalog. A complete list of security bulletins can be found here.