In January 2026, Microsoft rolled out its latest Patch Tuesday update, addressing a significant security concern with the inclusion of one actively exploited zero-day vulnerability and eight additional high-risk flaws. This update marks a considerable increase in the scope of vulnerabilities tackled, with a total of 112 Microsoft Common Vulnerabilities and Exposures (CVEs) and three non-Microsoft CVEs, effectively doubling the count from December’s update, which had 57 vulnerabilities.
Details on the Zero-Day Vulnerability
The critical zero-day vulnerability identified as CVE-2026-20805 poses an Information Disclosure risk affecting the Desktop Window Manager (DWM) and has been rated a 5.5 on the severity scale. Microsoft’s Threat Intelligence Center and Security Response Center (MSRC) are credited with discovering this flaw. Microsoft describes this vulnerability as an issue where sensitive information could be disclosed to unauthorized users via the DWM. CISA, the Cybersecurity and Infrastructure Security Agency, quickly added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its significance.
Other Vendor Updates
In addition to Microsoft’s updates, a variety of other tech companies such as Fortinet, SAP, ServiceNow, and Adobe also released patches this week, emphasizing the widespread nature of security vulnerabilities across different platforms.
High-Risk Vulnerabilities in the January Update
Microsoft flagged eight vulnerabilities as having a “more likely” exploitation risk. Here’s a closer look at these serious vulnerabilities:
1. Windows Installer Elevation of Privilege (CVE-2026-20816)
Rated at 7.8, this vulnerability involves a time-of-check to time-of-use (TOCTOU) race condition within the Windows Installer. It could enable authorized attackers to escalate their privileges and potentially gain SYSTEM-level access.
2. Windows Error Reporting Service Elevation of Privilege (CVE-2026-20817)
This 7.8-rated vulnerability arises from improper handling of permissions within the Windows Error Reporting system, allowing an authorized attacker to gain higher privileges locally.
3. Windows Common Log File System Driver Elevation of Privilege (CVE-2026-20820)
Another 7.8-rated vulnerability, this issue stems from a heap-based buffer overflow in the Windows Common Log File System Driver, potentially allowing an attacker to escalate privileges locally.
4. Windows NTFS Remote Code Execution (CVE-2026-20840)
Rated 7.8, this vulnerability involves a heap-based buffer overflow within Windows NTFS, which could permit an authorized attacker to execute code locally.
5. Windows Routing and Remote Access Service Elevation of Privilege (CVE-2026-20843)
This vulnerability, also rated at 7.8, is rooted in inadequate access control within the RRAS. It provides a pathway for authorized attackers to gain elevated privileges locally.
6. Windows Ancillary Function Driver for WinSock Elevation of Privilege (CVE-2026-20860)
Another 7.8 vulnerability relates to a type confusion issue in the Ancillary Function Driver for WinSock, which could grant authorized attackers elevated privileges.
7. Desktop Window Manager Elevation of Privilege (CVE-2026-20871)
With a severity score of 7.8, this vulnerability involves a use-after-free error in the Desktop Window Manager that might allow an authorized attacker to escalate privileges locally.
8. Additional Windows NTFS Remote Code Execution (CVE-2026-20922)
This security flaw mirrors CVE-2026-20840 with a heap-based buffer overflow in Windows NTFS, providing another avenue for code execution by authorized attackers.
Highest-Rated Vulnerabilities in the Patch Tuesday Update
Among the update, three vulnerabilities carry an 8.8 severity rating but are considered lower risk for active exploitation by Microsoft. These include:
- CVE-2026-20947: A Microsoft SharePoint Server vulnerability tied to Remote Code Execution and SQL Injection.
- CVE-2026-20963: A SharePoint vulnerability relating to Remote Code Execution and Deserialization of Untrusted Data.
- CVE-2026-20868: A Windows Routing and Remote Access Service vulnerability associated with Remote Code Execution and a heap-based buffer overflow.
