Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed 114 vulnerabilities, including three zero-days reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including Desktop Window Manager (DWM), legacy modem drivers, and core OS services, with a mix of information disclosure, elevation of privilege (EoP), security feature bypass, and remote code execution (RCE) flaws.
Technical highlights called out include CVE-2023-31096 (Windows Agere Soft Modem Driver EoP), CVE-2026-20805 (DWM information disclosure), and a Secure Boot certificate expiration security feature bypass (CVE-2026-21265). The update set also includes multiple Office/Excel/Word RCE vulnerabilities (e.g., CVE-2026-20952, CVE-2026-20953, CVE-2026-20955, CVE-2026-20957, CVE-2026-20944), Windows privilege-escalation issues (e.g., Windows Graphics Component and VBS Enclave EoP), and cloud/agent components such as Azure Connected Machine Agent (CVE-2026-21224) and Azure Core shared client library for Python (CVE-2026-21226).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-20805 as an exploited zero-day
The January 2026 security updates identify CVE-2026-20805 as exploited in the wild. Reporting indicates the flaw affects a wide range of Windows client and server versions, making it the most clearly active zero-day in the release.
Microsoft releases January 2026 Patch Tuesday updates
On January 13, 2026, Microsoft released its January Patch Tuesday security updates addressing 114 vulnerabilities across Windows, Office, SharePoint, Azure components, Edge/WebView, and other products. Multiple sources describe the release as including three zero-day flaws.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Microsoft Patch Tuesday: January 2026 | Arctic Wolf
arcticwolf.com
Open sourceZero Day Initiative - The January 2026 Security Update Review
thezdi.com
Open sourceMicrosoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
bleepingcomputer.com
Open sourceMicrosoft Patch Tuesday January 2026 - 114 Vulnerabilities Fixed Including 3 Zero-days
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
Mar 21, 2026
Microsoft Issues Record Patch Tuesday With 206 Fixes and Multiple Zero-Day Risks
Microsoft released its largest Patch Tuesday update to date, fixing **206 vulnerabilities** across Windows, Office, Azure, Exchange, SharePoint, SQL Server, Visual Studio, Copilot-related offerings, and other products. Multiple reports said the release included **three publicly disclosed zero-days**, while Microsoft separately noted an earlier out-of-band fix for the actively exploited Microsoft Defender flaw `CVE-2026-41091`. Publicly disclosed issues in the June bundle included `CVE-2026-50507`, a **BitLocker** security feature bypass that could expose encrypted data with physical access and available proof-of-concept code, and `CVE-2026-45586`, a **Windows CTFMON** elevation-of-privilege flaw that could let a low-privileged local attacker gain **SYSTEM** access. JPCERT/CC also warned that Microsoft disclosed active exploitation of `CVE-2026-42897`, a spoofing flaw in **Microsoft Exchange Server**.
Jun 20, 2026
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Mar 21, 2026