Microsoft’s January 2026 Patch Tuesday: Addressing 114 Vulnerabilities, Including Three Zero-Days
In its latest Patch Tuesday release on January 13, 2026, Microsoft has rolled out security updates to address 114 vulnerabilities across its software suite. This comprehensive update includes fixes for three zero-day vulnerabilities and several critical remote code execution (RCE) flaws, underscoring the company’s commitment to enhancing system security.
Overview of Vulnerabilities
The January 2026 update encompasses a diverse range of security issues:
– Remote Code Execution (RCE): 22 vulnerabilities
– Denial of Service (DoS): 2 vulnerabilities
– Elevation of Privilege (EoP): 57 vulnerabilities
– Information Disclosure: 22 vulnerabilities
– Security Feature Bypass: 3 vulnerabilities
– Spoofing: 5 vulnerabilities
– Tampering: 3 vulnerabilities
Among these, 12 are classified as critical, with the majority being elevation-of-privilege flaws found in kernel drivers and management services.
Zero-Day Vulnerabilities
Three zero-day vulnerabilities have been identified and patched in this release:
1. CVE-2026-20805 – Desktop Windows Manager Information Disclosure Vulnerability:
– Severity: Important (rated High by Check Point)
– Description: This flaw allows unauthorized access to sensitive data through the Desktop Windows Manager.
– Patch Date: January 13, 2026
2. CVE-2026-21265 – Windows Digital Media Elevation of Privilege Vulnerability:
– Severity: Not specified
– Description: Targets digital media handling processes, enabling local privilege escalation.
3. CVE-2023-31096 – Legacy Component Zero-Day Vulnerability:
– Severity: Not specified
– Description: Despite its earlier assignment, this vulnerability has been included in the January 2026 updates, indicating its ongoing relevance.
Critical Vulnerabilities
Several critical RCE vulnerabilities have been addressed:
– CVE-2026-20854 – Windows LSASS Use-After-Free RCE:
– Severity: Critical
– Description: A use-after-free error in the Local Security Authority Subsystem Service (LSASS) that can be exploited over networks.
– CVE-2026-20944 – Microsoft Word Out-of-Bounds Read RCE:
– Severity: Critical
– Description: An out-of-bounds read vulnerability in Microsoft Word that could allow remote code execution.
– CVE-2026-20953 – Microsoft Office Use-After-Free RCE:
– Severity: Critical
– Description: A use-after-free vulnerability in Microsoft Office that could lead to remote code execution.
Additionally, critical elevation-of-privilege vulnerabilities have been identified in the Graphics Component (CVE-2026-20822) and the Virtualization-Based Security (VBS) Enclave (CVE-2026-20876), both involving use-after-free issues.
Recommendations for Deployment
To mitigate potential risks, it is recommended to:
1. Prioritize Internet-Facing Systems: Begin by updating systems exposed to the internet, such as Windows Server Update Services (WSUS) and SMB servers.
2. Update Office Endpoints: Ensure that all Microsoft Office applications are updated to address vulnerabilities like CVE-2026-20944 and CVE-2026-20953.
3. Test in Staging Environments: Before deploying updates widely, test them in controlled environments to identify and address potential regressions, especially in drivers like the Cloud Files Mini Filter.
4. Enable Automatic Updates: For consumer devices, enabling automatic updates ensures timely application of security patches.
5. Monitor CISA KEV Catalog: Stay informed about any rapid additions to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, as zero-day vulnerabilities heighten the urgency for updates.
Conclusion
Microsoft’s January 2026 Patch Tuesday release is a significant step in fortifying system security, addressing a wide array of vulnerabilities, including critical zero-day flaws. Organizations and individual users are urged to apply these updates promptly to safeguard their systems against potential exploits.
