Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for Windows 10 (including ESU/LTSC) and Windows 11, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s KB5073724 (ESU) updates systems to build 19045.6809 (and LTSC 2021 to 19044.6809) and includes security/bug fixes plus a phased update to handle expiring Secure Boot certificates; it also removes legacy Agere modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys), which can break dependent modem hardware. Windows 11 cumulative updates KB5074109 (25H2/24H2) and KB5073455 (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments.
Third-party analysis of the same Patch Tuesday release reported 112 vulnerabilities (with 8 marked critical) and at least one vulnerability observed exploited in the wild: CVE-2026-20805. The critical issues highlighted include multiple remote code execution vulnerabilities across Windows components and Office applications (including LSASS, Word, Excel, and Office), plus elevation of privilege flaws such as CVE-2026-20822 (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and CVE-2026-20854 (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CISA sets February 3 deadline for federal agencies to patch CVE-2026-20805
Following the KEV addition, CISA required U.S. federal civilian agencies to remediate CVE-2026-20805 by February 3, 2026. The deadline reflected the vulnerability's active exploitation status.
CISA adds CVE-2026-20805 to the KEV catalog
After Microsoft disclosed the active exploitation of CVE-2026-20805, CISA added the flaw to its Known Exploited Vulnerabilities catalog. The listing made the issue a priority for defenders and federal agencies.
Microsoft begins phased rollout of updated Secure Boot certificates
The January 2026 updates started a phased deployment of refreshed Secure Boot certificates to address the upcoming expiration of older certificates. Microsoft also changed rollout behavior to use device targeting data for staged deployment.
Microsoft removes vulnerable legacy modem drivers in January updates
As part of the January 2026 Windows updates, Microsoft removed legacy Agere modem drivers and related files tied to an elevation-of-privilege issue, with some reports also noting Motorola soft modem driver removal. Microsoft warned this could break dependent legacy modem hardware.
Windows 10 ESU update KB5073724 released
Microsoft released Windows 10 extended security update KB5073724 for Windows 10 and Enterprise LTSC systems enrolled in the ESU program. The update included January 2026 security fixes, removed specific Agere modem driver files, addressed the WinSqlite DLL issue, and began phased Secure Boot certificate updates.
Windows 11 January cumulative updates KB5074109 and KB5073455 ship
Microsoft released mandatory Windows 11 cumulative updates KB5074109 and KB5073455 for versions 25H2/24H2 and 23H2. The updates delivered the January 2026 security fixes, removed certain legacy modem drivers, fixed networking and power issues, and changed Secure Boot certificate rollout behavior to phased device targeting.
Microsoft flags additional January vulnerabilities as higher exploitation risk
Alongside the Patch Tuesday release, Microsoft identified eight additional vulnerabilities as more likely to be exploited. These included issues across Windows components such as Installer, Error Reporting, CLFS, NTFS, RRAS, WinSock ancillary driver, and DWM.
Microsoft patches actively exploited DWM zero-day CVE-2026-20805
The January 2026 updates fixed CVE-2026-20805, an information disclosure flaw in Desktop Window Manager that Microsoft said was being exploited in the wild. The bug can leak memory address information, potentially helping attackers bypass mitigations and chain follow-on attacks.
Microsoft releases January 2026 Patch Tuesday security updates
On January 13, 2026, Microsoft released its January Patch Tuesday updates, addressing 112 Microsoft vulnerabilities across Windows, Office, SharePoint, RRAS, and other products; some reports count 114 when including non-Microsoft or Chromium-related CVEs. The release included eight critical flaws and a large number of elevation-of-privilege and remote code execution issues.
Microsoft warns 2011 Secure Boot certificates will expire in 2026
Microsoft had warned since June 2025 that multiple Secure Boot certificates issued in 2011 would expire in 2026. The company said systems that do not receive updated certificates could face Secure Boot failures or weakened protections.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Microsoft Patch Tuesday: January 2026 | Arctic Wolf
arcticwolf.com
Open sourceMicrosoft Patch Tuesday Fixes 112 Flaws, Includes SharePoint and Windows
techrepublic.com
Open sourceMicrosoft January 2026 Patch Tuesday: 114 flaws addressed, including actively exploited 0-day | SC Media
scworld.com
Open sourceJanuary 2026 Patch Tuesday: Active Zero-Day & 111 Other Flaws Addressed
socradar.io
Open sourceMicrosoft releases Windows 10 KB5073724 extended security update
bleepingcomputer.com
Open sourceWindows 11 KB5074109 & KB5073455 cumulative updates released
bleepingcomputer.com
Open sourceMicrosoft Starts 2026 With a Bang: A Freshly Exploited Zero-Day
darkreading.com
Open sourceMicrosoft Patch Tuesday for January 2026 - Snort rules and prominent vulnerabilities
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
Mar 21, 2026
Microsoft March Patch Tuesday Ships 83 Fixes and Windows 11 Cumulative Updates
Microsoft’s March Patch Tuesday security release shipped fixes for **83 vulnerabilities** across its enterprise software and services, and was notable for having **no actively exploited zero-days** for the first time in six months. Microsoft flagged **six** vulnerabilities as “more likely to be exploited,” and noted two issues—`CVE-2026-21262` and `CVE-2026-26127`—were **publicly known** at release. Researchers highlighted an Excel information-disclosure issue, `CVE-2026-26144`, describing a scenario where an attacker could potentially induce a *Copilot Agent* to exfiltrate data in a **zero-click** style workflow, and also pointed to Office flaws `CVE-2026-26110` and `CVE-2026-26113` (CVSS 8.4) that could enable **arbitrary code execution** via the Office preview pane. Microsoft also released **mandatory Windows 11 cumulative updates** `KB5079473` (25H2/24H2) and `KB5078883` (23H2) that incorporate the March 2026 Patch Tuesday security fixes, along with additional non-security changes. The updates advance build numbers to **26200.8037/26100.8037** (25H2/24H2) and **22631.6783** (23H2), expand “high-confidence device targeting” to increase coverage for automatic delivery of new **Secure Boot certificates**, and include reliability improvements such as better File Explorer search across drives and changes to **Windows Defender Application Control (WDAC)** behavior for COM objects (policy listing support).
Mar 30, 2026
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
Mar 21, 2026