Microsoft January 2026 Patch Tuesday: 113 Flaws, Zero-Day Exploited

TL;DR

Microsoft released fixes for at least 113 vulnerabilities, eight rated critical, and confirmed active exploitation of a January zero-day in the Desktop Window Manager (CVE-2026-20805). Patches also address Office remote-code flaws, Secure Boot bypasses tied to expiring certificates, and legacy modem drivers removed due to exploit code concerns.

What happened

On Patch Tuesday for January 2026 Microsoft issued updates addressing a minimum of 113 security flaws across Windows and related products. Eight bugs were labeled critical. The firm confirmed active exploitation of a zero-day, CVE-2026-20805, which stems from a flaw in the Desktop Window Manager (DWM) and is seen as capable of undermining Address Space Layout Randomization (ASLR) and enabling chained exploits. Two remote-code vulnerabilities in Microsoft Office (CVE-2026-20952 and CVE-2026-20953) can be triggered by simply previewing a malicious message. Microsoft also removed older modem drivers (agrsm64.sys and agrsm.sys) after public exploit code tied to a related driver (CVE-2023-31096) was documented; the mere presence of such drivers can create risk even without a connected modem. A critical Secure Boot security feature bypass (CVE-2026-21265) was patched amid warnings about expiring root certificates in 2026 that could affect future fixes. Mozilla and other browser vendors have also issued updates this month.

Why it matters

• Active exploitation of a Windows zero-day raises immediate risk for organizations and underscores the need for prompt patching.
• ASLR-bypassing flaws can be chained with other bugs to produce reliable code-execution attacks, increasing operational impact.
• Removal of legacy modem drivers exposes the broader risk of old, bundled drivers that can carry elevation-to-system vulnerabilities even if unused.
• Secure Boot certificate expirations in 2026 could prevent affected devices from receiving fixes unless bootloaders/firmware are updated correctly.

Key facts

• Microsoft fixed at least 113 vulnerabilities in the January 2026 update set.
• Eight vulnerabilities received Microsoft’s 'critical' rating.
• CVE-2026-20805 (DWM) is a zero-day that Microsoft says is being actively exploited; it received a CVSS score of 5.5.
• Two Office remote-code-execution bugs—CVE-2026-20952 and CVE-2026-20953—can be exploited via the Preview Pane.
• Microsoft removed modem drivers agrsm64.sys and agrsm.sys due to concerns linked to public exploit code for a similar driver (CVE-2023-31096).
• CVE-2026-21265 is a critical Security Feature Bypass affecting Windows Secure Boot; related root certificates from 2011 are set to expire in June and October 2026.
• Mozilla issued Firefox updates fixing 34 flaws; two (CVE-2026-0891 and CVE-2026-0892) are suspected of being exploited in the wild.
• Google Chrome WebView had a high-severity issue (CVE-2026-0628) resolved in a January 6 Chrome update; Chrome and Edge updates were expected following Patch Tuesday.

What to watch next

• Expect and install Google Chrome and Microsoft Edge updates issued this week as noted in vendor advisories.
• Monitor Secure Boot certificate and firmware/bootloader guidance closely—incorrect remediation can render systems unbootable.
• Watch SANS Internet Storm Center and askwoody.com for per-patch compatibility notes and reports of installation issues.

Quick glossary

• Desktop Window Manager (DWM): A Windows component that composes and manages application windows and their display on screen.
• Address Space Layout Randomization (ASLR): A memory-protection technique that randomizes the location of key data and code to make exploitation harder.
• Zero-day: A vulnerability that is being exploited in the wild before the vendor has published a fix.
• Secure Boot: A firmware-based security feature that helps prevent loading unsigned or tampered boot components.
• CVSS: Common Vulnerability Scoring System, a framework for rating the severity of security vulnerabilities.

Reader FAQ

Should I apply January’s Microsoft updates immediately?
For the DWM zero-day (CVE-2026-20805) and other actively exploited flaws, rapid patching is recommended; practitioners cited rapid patching as the main effective mitigation.

Are attackers already exploiting any of the patched issues?
Microsoft confirmed active exploitation of CVE-2026-20805. Mozilla also fixed Firefox issues (CVE-2026-0891 and CVE-2026-0892) that are suspected to be exploited.

Why were modem drivers removed from Windows?
Microsoft removed agrsm64.sys and agrsm.sys after public exploit code and research linked similar legacy modem drivers to elevation-of-privilege risks.

Will Secure Boot fixes and certificate changes break devices?
Incorrect bootloader or BIOS remediation can render systems unbootable; the source advises careful preparation for each OS/BIOS combination.

January 13, 2026 3 Comments Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned…

Sources

• Patch Tuesday, January 2026 Edition
• Microsoft's January 2026 Patch Tuesday Addresses 113 …
• January 2026 Patch Tuesday: Updates and Analysis
• Zero-Day Attack Drives 113-Vulnerability Patch Tuesday …

Related posts

• India’s PSLV rocket fails again in second consecutive mission loss for launcher
• DOJ publishes partially redacted documents related to Operation Absolute Resolve
• Windows info-disclosure zero-day patched after CISA adds it to catalog