Microsoft January 2026 Patch Tuesday: 3 Zero-Days Among 114 Fixes
Microsoft's first Patch Tuesday of 2026 addresses 114 vulnerabilities including one actively exploited zero-day in Desktop Window Manager tracked as CVE-2026-20805.
Microsoft's January 2026 Patch Tuesday addresses 114 security vulnerabilities, including one actively exploited zero-day and two publicly disclosed flaws. Eight vulnerabilities are rated Critical, with the majority being remote code execution issues.
Actively Exploited Zero-Day
The most urgent issue is CVE-2026-20805 (CVSS 5.5), an information disclosure vulnerability in Windows Desktop Window Manager (DWM). The flaw allows local attackers with basic user privileges to access sensitive system memory addresses.
This information can help attackers:
- Bypass security protections like ASLR
- Enable more sophisticated follow-up attacks
- Gain information useful for privilege escalation
CISA has added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by February 3, 2026.
Critical Vulnerabilities
Among the eight Critical-rated flaws:
- CVE-2026-20854: Remote code execution in Windows LSASS (CVSS 7.5)
- CVE-2026-20952 & CVE-2026-20953: Microsoft Office RCE flaws triggered via Preview Pane
- CVE-2026-21265: Secure Boot certificate bypass (CVSS 6.4)
Secure Boot Certificate Warning
Microsoft warned that Secure Boot certificates used by most Windows devices will begin expiring in June 2026. Devices not updated in time may experience boot issues. Administrators should prioritize this update to avoid future problems.
Recommended Actions
- Prioritize patching CVE-2026-20805 due to active exploitation
- Test and deploy Critical updates for LSASS and Office
- Plan for Secure Boot certificate updates before June 2026
- Review and test all 114 patches in staging environments
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.