Microsoft’s January 13, 2026, Patch Tuesday release addresses 114 vulnerabilities, including one actively exploited zero-day in Desktop Window Manager, eight critical flaws, and three publicly disclosed zero-days.
This first update of the year targets Windows 10/11/Server builds via KBs like 5073455 (22631.6491) and 5074109 (26200.7623), also removing vulnerable Agere modem drivers and renewing expiring Secure Boot certificates. Cybersecurity teams should prioritize CVE-2026-20805 patching due to its CISA KEV addition and real-world exploitation.
Key numbers
- 114 total CVEs
- 3 zero-day vulnerabilities
- 1 exploited in the wild
- 2 publicly disclosed (Microsoft acknowledges public knowledge)
The release covers multiple Microsoft products, but Windows dominates the volume.
- Windows accounted for the largest share of fixes (~93)
- Office followed (~16)
Vulnerability Overview
🔥 January 2026 Patch Tuesday: Vulnerability Statistics
| Category | Count | % of Total | Key Components | Risk Priority |
|---|---|---|---|---|
| Elevation of Privilege | 57 | 50% | Win32K, Graphics, VBS Enclave | 🔴 HIGH |
| Remote Code Execution | 22 | 19% | Office (Word/Excel), LSASS | 🟡 MEDIUM |
| Information Disclosure | 22 | 19% | DWM Core (CVE-2026-20805 exploited) | 🔴 CRITICAL |
| Other (SFB/DoS/Spoofing) | 13 | 12% | Secure Boot, Networking | 🟢 LOW |
| Total CVEs | 114 | 100% | 8 Critical + 1 Exploited Zero-Day | |
Zero-Days and Exploited Vulnerabilities
Three zero-days stand out, with only one confirmed in active attacks:
- CVE-2026-20805 (DWM Info Disclosure, CVSS 5.5/Important): Low-priv local attacker leaks user-mode memory addresses via remote ALPC ports, bypassing ASLR for EoP/RCE chains; affects all Windows versions, added to CISA KEV January 13—federal patch deadline February 3.
- CVE-2026-21265 (Secure Boot Cert Bypass, Important): Public disclosure fixes 2011 certs expiring mid-2026, preventing boot chain attacks.
- CVE-2023-31096 (Agere Modem Driver EoP, Important): Removes agrsm.sys exploited for admin privileges.
No other January CVEs show in-the-wild activity per Microsoft/CISA reports.
Critical Vulnerabilities Breakdown
Critical Vulnerabilities Breakdown
All eight Critical CVEs from January 2026 Patch Tuesday demand urgent attention for their chain potential in ransomware or APTs. Details below with CVSS scores and affected products.
| CVE ID | Component | Type | CVSS/Details | Affected Products |
|---|---|---|---|---|
| CVE-2026-20822 | Graphics | EoP (Use-after-free) | 7.8; Heap manipulation for kernel priv esc | Win10/11/Server |
| CVE-2026-20876 | VBS Enclave | EoP (Heap overflow) | Critical; Breaks VBS for SYSTEM access | VBS-enabled Windows |
| CVE-2026-20944 | MS Word | RCE | 7.8; Preview Pane exploit | Office/Word |
| CVE-2026-20952 | Office | RCE | Critical; File/Preview trigger | Office suite |
| CVE-2026-20953 | Office | RCE | Critical; Chains w/info disclosure | Office suite |
| CVE-2026-20955 | Excel | RCE | 7.8; Spreadsheet parsing flaw | Excel |
| CVE-2026-20957 | Excel | RCE | Critical; High-sev parsing vuln | Excel |
| CVE-2026-20854 | LSASS | RCE | Critical; Network/priv esc potential | Win Server/Client |
Key Priorities:
- Patch Order: CVE-2026-20822 → CVE-2026-20876 → Office RCE chain (20944/52/53)
- EPSS Risk: Graphics/VBS flaws likely >0.9 probability within 30 days
- Mitigations: Disable Office Preview Pane, restrict LSASS network access
Affected Systems and Changes
- Windows 11: 25H2 (KB5074109/26200.7623), 24H2/23H2 (KB5073455/22631.6491).
- Server: 2022 (KB5073457/20348.4648).
- Other: Office, .NET, Visual Studio; drops Agere drivers (agrsm.sys); updates Secure Boot KEK/DB CAs.
Patching Priorities and Best Practices
- Deploy CVE-2026-20805 patches immediately on internet-facing/multi-user systems.
- Test VBS/Graphics for regressions; disable Office Preview Pane to block RCEs.
- Monitor NVD/EPSS (prioritize >0.9 scores), CISA KEV; use WSUS for enterprise rollout.
- No public PoCs beyond zero-days, but expect chains—scan for unpatched via Qualys/Nessus.
