Microsoft Patch Tuesday (January 2026): 114 Vulnerabilities Fixed

Microsoft Patch Tuesday (January 2026): 114 Vulnerabilities Fixed

Microsoft has released its first security update of 2026, addressing 114 vulnerabilities, including one flaw actively exploited in the wild.

🔐 Key highlights:

• 114 total flaws patched
  • 8 Critical
  • 106 Important
• 58 privilege escalation vulnerabilities
• 21 remote code execution issues
• 22 information disclosure flaws

⚠️ Actively exploited vulnerability

• CVE-2026-20805 – Desktop Window Manager (DWM)
• Allows local information disclosure that can be chained to bypass ASLR
• Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog
• Federal agencies must patch by February 3, 2026

🔑 Other notable fixes

• Secure Boot certificate bypass (ahead of major certificate expirations in 2026)
• Removal of vulnerable legacy modem drivers exploited for privilege escalation
• Critical privilege escalation in Windows VBS Enclave affecting core security boundaries

📌 Why this matters
DWM, Secure Boot, and VBS sit at the heart of Windows security. Vulnerabilities here are often leveraged as building blocks for advanced, persistent attacks.

👉 Recommendation:
Prioritize patching, especially on systems exposed to local access, VDI environments, and endpoints running privileged workloads.