Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws.
In all, the Patch Tuesday January 2026 update includes fixes for 112 Microsoft CVEs and three non-Microsoft CVEs, doubling December’s 57 vulnerabilities.
The actively exploited zero day is CVE-2026-20805, a 5.5-rated Information Disclosure vulnerability affecting Desktop Window Manager (DWM). The vulnerability find is credited to Microsoft’s own Threat Intelligence Center and Security Response Center (MSRC). Microsoft says of the vulnerability, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.”
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after Microsoft’s announcement.
Other vendors issuing updates this week include Fortinet, SAP, ServiceNow, and Adobe, among others.
Patch Tuesday January 2026 High-Risk Vulnerabilities
Microsoft judged eight vulnerabilities as “exploitation more likely.” They include:
CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges.
CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find.
CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges.
CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.
CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges.
CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally.
CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally.
CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.
Highest-Rated Vulnerabilities in the Patch Tuesday Update
The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include:
- CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
- CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
- CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability
