Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
None
<div morss_own_score="2.569321533923304" morss_score="36.943272887136025"> <ol> <li><span>8</span>Critical</li> <li><span>105</span>Important</li> <li><span>0</span>Moderate</li> <li><span>0</span>Low</li> </ol> <p><strong>Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.</strong></p> <p>Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.</p> <p><img decoding="async" src="https://www.tenable.com/sites/default/files/images/blog/63bd3f55-94a2-43dc-95b9-e4520f266367.png"></p> <p>This month’s update includes patches for:</p> <ul> <li>Azure Connected Machine Agent</li> <li>Azure Core shared client library for Python</li> <li>Capability Access Management Service (camsvc)</li> <li>Connected Devices Platform Service (Cdpsvc)</li> <li>Desktop Window Manager</li> <li>Dynamic Root of Trust for Measurement (DRTM)</li> <li>Graphics Kernel</li> <li>Host Process for Windows Tasks</li> <li>Inbox COM Objects</li> <li>Microsoft Graphics Component</li> <li>Microsoft Office</li> <li>Microsoft Office Excel</li> <li>Microsoft Office SharePoint</li> <li>Microsoft Office Word</li> <li>Printer Association Object</li> <li>SQL Server</li> <li>Tablet Windows User Interface (TWINUI) Subsystem</li> <li>Windows Admin Center</li> <li>Windows Ancillary Function Driver for WinSock</li> <li>Windows Client-Side Caching (CSC) Service</li> <li>Windows Clipboard Server</li> <li>Windows Cloud Files Mini Filter Driver</li> <li>Windows Common Log File System Driver</li> <li>Windows DWM</li> <li>Windows Deployment Services</li> <li>Windows Error Reporting</li> <li>Windows File Explorer</li> <li>Windows HTTP.sys</li> <li>Windows Hello</li> <li>Windows Hyper-V</li> <li>Windows Installer</li> <li>Windows Internet Connection Sharing (ICS)</li> <li>Windows Kerberos</li> <li>Windows Kernel</li> <li>Windows Kernel Memory</li> <li>Windows Kernel-Mode Drivers</li> <li>Windows LDAP – Lightweight Directory Access Protocol</li> <li>Windows Local Security Authority Subsystem Service (LSASS)</li> <li>Windows Local Session Manager (LSM)</li> <li>Windows Management Services</li> <li>Windows Media</li> <li>Windows NDIS</li> <li>Windows NTFS</li> <li>Windows NTLM</li> <li>Windows Remote Assistance</li> <li>Windows Remote Procedure Call</li> <li>Windows Remote Procedure Call Interface Definition Language (IDL)</li> <li>Windows Routing and Remote Access Service (RRAS)</li> <li>Windows SMB Server</li> <li>Windows Secure Boot</li> <li>Windows Server Update Service</li> <li>Windows Shell</li> <li>Windows TPM</li> <li>Windows Telephony Service</li> <li>Windows Virtualization-Based Security (VBS) Enclave</li> <li>Windows WalletService</li> <li>Windows Win32K – ICOMP</li> </ul> <p><img decoding="async" src="https://www.tenable.com/sites/default/files/images/blog/8bff1fd7-fc22-4357-9e40-b719ae60ec5f.png"></p> <p>Elevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%.</p> <div>Important</div> <h2>CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability</h2> <p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805"><u>CVE-2026-20805</u></a> is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.</p> <p>Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20871"><u>CVE-2026-20871</u></a> is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to <a href="https://www.microsoft.com/en-us/msrc/exploitability-index"><u>Microsoft’s Exploitability Index</u></a>.</p> <div>Important</div> <h2>CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability</h2> <p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21265"><u>CVE-2026-21265</u></a> is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”</p> <p>Microsoft certificates are stored in the Unified Extensible Firmware Interface (UEFI) Key Enrollment Key (also known as Key Exchange or KEK) and DB. These certificates are <a href="https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e"><u>reaching their expiration date</u></a>, so these certificates need to be updated to ensure Secure Boot functionality remains and to prevent future issues from arising. The following are the certificates set to expire in 2026:</p> <table> <thead> <tr> <th><strong>Certificate Authority (CA)</strong></th> <th><strong>Expiration Date</strong></th> <th><strong>Purpose</strong></th> <th><strong>Location</strong></th> </tr> </thead> <tbody> <tr> <td>Microsoft Corporation KEK CA 2011</td> <td>June 24, 2026</td> <td>Signs updates to the DB and DBX</td> <td>KEK</td> </tr> <tr> <td>Microsoft Corporation UEFI CA 2011</td> <td>June 27, 2026</td> <td>Signs third party boot loaders, Option ROMs and more</td> <td>DB</td> </tr> <tr> <td>Microsoft Windows Production PCA 2011</td> <td>October 19, 2026</td> <td>Signs the Windows Boot Manager</td> <td>DB</td> </tr> </tbody> </table> <p>This vulnerability is considered “Publicly Disclosed” because the information about the expiration and the location of these certificates are public.</p> <div>Critical</div> <h2>CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability</h2> <p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20952"><u>CVE-2026-20952</u></a> and <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20953"><u>CVE-2026-20953</u></a> are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as “Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.</p> <p>Despite being flagged as “Exploitation Less Likely,” Microsoft notes that the Preview Pane is an attack vector for both vulnerabilities, which means exploitation does not require the target to open the file.</p> <div>Important</div> <h2>CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability</h2> <p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20840"><u>CVE-2026-20840</u></a> and <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20922"><u>CVE-2026-20922</u></a> are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.</p> <h2>Tenable Solutions</h2> <p>A list of all the plugins released for Microsoft’s January 2026 Patch Tuesday update can be found <a href="https://www.tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1"><u>here</u></a>. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.</p> <p>For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on <a href="https://www.tenable.com/blog/how-to-perform-efficient-vulnerability-assessments-with-tenable"><u>How to Perform Efficient Vulnerability Assessments with Tenable</u></a>.</p> <h2>Get more information</h2> <p><em><strong>Join </strong></em><em><strong> on Tenable Connect and engage with us in the </strong></em><em><strong> for further discussions on the latest cyber threats.</strong></em></p> <p><em><strong>Learn more about </strong></em><em><strong>, the Exposure Management Platform for the modern attack surface.</strong></em></p> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805/" data-a2a-title="Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805%2F&linkname=Microsoft%E2%80%99s%20January%202026%20Patch%20Tuesday%20Addresses%20113%20CVEs%20%28CVE-2026-20805%29" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805%2F&linkname=Microsoft%E2%80%99s%20January%202026%20Patch%20Tuesday%20Addresses%20113%20CVEs%20%28CVE-2026-20805%29" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805%2F&linkname=Microsoft%E2%80%99s%20January%202026%20Patch%20Tuesday%20Addresses%20113%20CVEs%20%28CVE-2026-20805%29" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805%2F&linkname=Microsoft%E2%80%99s%20January%202026%20Patch%20Tuesday%20Addresses%20113%20CVEs%20%28CVE-2026-20805%29" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmicrosofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805%2F&linkname=Microsoft%E2%80%99s%20January%202026%20Patch%20Tuesday%20Addresses%20113%20CVEs%20%28CVE-2026-20805%29" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.tenable.com/">Tenable Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Research Special Operations">Research Special Operations</a>. Read the original post at: <a href="https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805">https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805</a> </p>