Safety groups anticipating one other modest Patch Tuesday after December are prone to be dissatisfied with Microsoft’s January replace, which tackles 112 widespread vulnerabilities and exposures (CVEs), or almost double the quantity addressed final month.
Amongst them is a zero-day vulnerability in Desktop Window Supervisor (DWM) designated as CVE-2026-20805 (CVSS rating: 5.5), which attackers are already exploiting to leak reminiscence deal with data that would weaken system protections and allow follow-on assaults.
Actively Exploited Zero-Day
DWM controls how utility home windows seem on a consumer’s display and is a element that has had its share of vulnerabilities over time, stated Satnam Narang, senior employees analysis engineer at Tenable, in a ready remark. The newest vulnerability — the primary data disclosure zero-day bug in DWM — permits attackers to steal data that would assist them escalate privileges, Narang stated.
Although Microsoft itself has assessed CVE-2026-20805 as being solely of comparatively average severity, the truth that attackers are already exploiting it solely heightens the chance, added Jack Bicer, director of vulnerability analysis at Action1. “For organizations, this vulnerability will increase the chance of profitable multi-stage assaults,” Bicer cautioned. “Leaked reminiscence particulars will be mixed with different vulnerabilities to realize privilege escalation or information theft, doubtlessly resulting in broader system compromise, regulatory publicity, and lack of belief.”
Extra More likely to Be Exploited
Microsoft recognized eight of the vulnerabilities in its January replace as points that attackers usually tend to exploit for a wide range of causes. Amongst them are two distant code execution (RCE) vulnerabilities in Home windows NTFS — CVE-2026-20840 (CVSS rating: 7.8) and CVE-2026-20922 (CVSS Rating: 7.8). Each are buffer overflow vulnerabilities that an attacker with prior entry to a system can exploit to execute arbitrary code on.
Kev Breen, senior director of risk analysis at Immersive urged organizations to handle the 2 vulnerabilities instantly, contemplating it was a third-party that recognized and reported the problems to Microsoft. That makes it seemingly that technical particulars on the bugs may grow to be publicly out there quickly, heightening the urgency for organizations to patch them, he stated in emailed feedback. “If detailed data is made public, this might rapidly grow to be an n-day vulnerability, making a slender window wherein organizations can apply patches earlier than exploitation turns into widespread,” Breen stated.
A Slew of Elevation of Privilege Bugs
The remaining six vulnerabilities on this month’s set that Microsoft thinks risk actors will seemingly abuse are all elevation-of-privilege (EoP) flaws that enable attackers who have already got entry to a system to escalate their entry ranges. The six flaws are CVE-2026-20816 in Home windows Installer; CVE-2026-20817, one other in Home windows Error Reporting; CVE-2026-20820, in Home windows Widespread Log File System Driver; CVE-2026-20843, affecting Home windows Routing and Distant Entry Service; CVE-2026-20860 in Home windows Ancillary Perform Driver for WinSock; and CVE-2026-20871 in Desktop Window Supervisor. Microsoft assigned every of those bugs an an identical severity rating of seven.8 out of 10 on the CVSS scale.
As all the time, a few of the flaws that Microsoft tagged as much less prone to be exploited nonetheless want precedence consideration. CVE-2026-20876, an EoP bug in Home windows Virtualization Primarily based Safety (VBS) Enclave, is one instance. The flaw permits an attacker to interrupt by way of the safety limitations of Home windows and acquire entry to probably the most trusted execution layers of the system, stated Mike Walters, president and co-founder of Action1. “This vulnerability poses a severe threat for organizations counting on VBS to guard credentials, secrets and techniques, and delicate workloads,” Walters defined in ready commentary. A profitable exploit may enable an attacker to bypass safety controls, set up deep persistence, and evade detection. The flaw provides them a option to “compromise techniques which might be assumed to be strongly remoted, growing the blast radius of an intrusion.”
Crucial however Decrease Threat?
CVE-2026-20952 (CVSS rating: 8.4) and CVE-2026-20953 (CVSS rating 8.4) are two flaws that Microsoft rated as essential, despite the fact that the corporate assessed the chance of attackers truly exploiting the bugs as low. Each flaws allow distant code execution, have an effect on Microsoft Workplace, and allow an unauthorized consumer to govt arbitrary code regionally. The vulnerabilities enable attackers to leverage a trusted Workplace doc and even the Preview Pane to ship malicious code. They permit an attacker to execute arbitrary code regionally with out requiring privileges and, in some eventualities, with none consumer interplay, Bicer stated.
“Whereas each vulnerabilities have been rated as much less prone to be exploited, they’re exploitable by way of Microsoft’s Preview Pane, which implies that attackers can obtain code execution with out a consumer ever opening a file,” Narang famous. “Within the trendy risk panorama, even a look is a threat.”
In 2025, Microsoft issued patches for 1,275 distinctive CVEs throughout its product portfolio. It opened final yr with a 157-patch replace — which included fixes for as many as eight zero-days — and delivered a file breaking 163-patch monster in October 2025.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits at this time: learn extra, subscribe to our publication, and grow to be a part of the NextTech neighborhood at NextTech-news.com
