Security

Microsoft Fixes 114 Flaws; DWM Zero-Day Patched

Microsoft January 2026 Patch: DWM Zero-Day Fixed
Patch Tuesday Fixes

• Microsoft released its January 2026 Patch Tuesday fixing 114 Windows vulnerabilities. • One issue, CVE-2026-20805 in Desktop Window Manager (DWM), is confirmed exploited in the wild and added to CISA’s KEV catalog. • The bundle includes eight Critical and 106 Important fixes, with priority items in VBS Enclave and Secure Boot certificate handling.

What Microsoft patched in January 2026

Microsoft’s January update addresses 114 security flaws across Windows components. Eight are rated Critical and 106 Important.

Vulnerability types include 58 privilege-escalation, 22 information-disclosure, 21 remote-code-execution, and five spoofing issues, according to telemetry aggregated by Fortra.

Actively exploited DWM flaw: CVE-2026-20805

The most urgent fix is CVE-2026-20805 (CVSS 5.5), an information-disclosure bug in Desktop Window Manager that Microsoft says has been observed in active exploitation. The company credits MTIC and MSRC for reporting the issue.

Microsoft warns the flaw can let a locally authorized attacker read a section address from a remote ALPC port — revealing user-mode memory addresses that can defeat address-space layout randomization (ASLR) and assist follow-on attacks.

Adam Barnett of Rapid7 noted DWM’s role in rendering makes it ‘‘an enticing combination of privileged access and universal availability,’’ increasing its attractiveness to attackers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog and requires Federal Civilian Executive Branch agencies to apply fixes by February 3, 2026.

Other high-priority fixes

Notable patches include a critical privilege-escalation flaw in Windows Virtualization-Based Security (VBS) Enclave, CVE-2026-20876 (CVSS 6.7), which could allow elevation to Virtual Trust Level 2 and undermine core OS protections.

Microsoft also fixed a Secure Boot certificate expiration bypass (CVE-2026-21265, CVSS 6.4). Microsoft previously warned that several 2011 Secure Boot certificates will expire in 2026 and urged customers to migrate to 2023 certificates to avoid boot disruptions.

The update removes legacy Agere soft modem drivers (agrsm64.sys, agrsm.sys) after those drivers were linked to a two-year-old local privilege-escalation flaw (CVE-2023-31096).

What admins should do now

Prioritize installing the January updates immediately, especially systems exposed to local users or running virtualization features. Federal agencies must meet CISA’s Feb. 3 deadline for the DWM fix.

Review Secure Boot certificate guidance and update affected certificates before the June 2026 expirations to avoid boot failures. Remove or replace legacy drivers highlighted by Microsoft where possible.

Wider vendor patching

Microsoft’s fixes arrive alongside security updates from numerous vendors — Adobe, Google (Android/Chrome), AMD, Cisco, NVIDIA and others — underscoring a broad start to the year for vulnerability remediation.

Stay current with vendor advisories and test updates in controlled environments before broad deployment.

Read more