Pierluigi Paganini January 14, 2026

Microsoft Patch Tuesday addressed 112 security flaws across Windows, Office, Azure, Edge, and more, including eight critical vulnerabilities, kicking off the new year with a major patch update.

Microsoft Patch Tuesday security updates for January 2026 release 112 CVEs affecting Windows, Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. Including third-party Chromium fixes, the total rises to 114 vulnerabilities. Eight flaws are rated Critical, while the rest are Important. Large January releases are common, as vendors often delay patches during the holidays to avoid disruptions.

One of these flaws, tracked as CVE-2026-20805 (CVSS score of 5.5), is actively exploited in attacks in the wild, while two others are labeled as publicly known at release. CVE-2026-20805 is a Windows Desktop Window Manager flaw that lets attackers leak small pieces of memory information. While it does not directly run malicious code, the leaked data can help attackers bypass security protections and make more serious exploits work.

“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” reads the advisory. “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.”

This weakness shows how even limited information leaks can play a key role in full system compromise.

Microsoft did not share details about the attacks exploiting this vulnerability.

The following vulnerabilities are labeled as publicly known at release:

• CVE-2023-31096 (CVSS score of 7.8) – This flaw affects outdated Agere Soft Modem drivers included with Windows. The vulnerability allows attackers to gain higher system privileges by exploiting these drivers. If abused, it could let a local attacker take deeper control of a device. To eliminate the risk, Microsoft removed the vulnerable agrsm64.sys and agrsm.sys drivers in the January 2026 cumulative update.
• CVE-2026-21265 (CVSS score of 6.4) – affects Windows Secure Boot and relates to expiring security certificates. If administrators do not update these certificates, systems may stop trusting new boot loaders and could fail to receive future security updates. While attackers are unlikely to exploit this issue directly, ignoring it can leave devices unpatched or unable to boot securely. Microsoft disclosed this issue months ago, which is why it is listed as publicly known.
• CVE-2024-55414 (CVSS score of 6.4) – CVE-2024-55414 affects Motorola Soft Modem drivers included with Windows and allows attackers to gain elevated system privileges. The flaw exists in the smserl64.sys and smserial.sys drivers, which Microsoft removed in the January cumulative update. Systems that still rely on this legacy hardware may face compatibility issues, and Microsoft advises removing any remaining dependencies to reduce security risk.

The full list of CVEs addressed by Microsoft Patch Tuesday security updates for January 2026 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)