January 2026 Patch Tuesday: 114 CVEs Patched Including 3 Zero-Days

Microsoft has addressed 114 vulnerabilities in its January 2026 security update release, including 112 newly patched CVEs and 2 updated advisories. This month's update addresses one actively exploited Important vulnerability, two publicly disclosed Important vulnerabilities, and eight Critical vulnerabilities, along with 103 additional CVEs of varying severity levels.

January 2026 Risk Analysis

This month's leading risk types by exploitation technique are elevation of privilege with 57 patches (50%), remote code execution (RCE) with 22 patches (19%), and information disclosure with 22 patches (19%).

Actively Exploited Zero-Day Vulnerability in Windows Desktop Window Manager 

CVE-2026-20805 is an Important information disclosure vulnerability affecting Windows Desktop Window Manager with a CVSS score of 5.5. Microsoft has confirmed this vulnerability is being actively exploited in the wild.

The vulnerability allows local attackers with basic user privileges to access sensitive system memory addresses through Windows internal communication channels. This information can help attackers bypass security protections or enable more sophisticated attacks. The vulnerability is easy to exploit, requiring only local access with no user interaction, and affects multiple versions of Windows 10, Windows 11, and Windows Server systems.

Publicly Disclosed Zero-Day Vulnerability in Windows Agere Soft Modem

CVE-2023-31096 is an Important elevation of privilege vulnerability affecting Windows Agere Soft Modem drivers with a CVSS score of 7.8. While it has been publicly disclosed, there is no evidence of exploitation in the wild. 

This vulnerability enables authenticated local attackers with low-level privileges to escalate to SYSTEM-level access through a stack-based buffer overflow in Agere Soft Modem drivers. Successful exploitation allows attackers to gain complete control over affected Windows systems.

Microsoft has addressed this vulnerability by removing the Agere Soft Modem drivers in the January 2026 cumulative update. As a result, soft modem hardware dependent on these drivers will no longer function on Windows.

Publicly Disclosed Zero-Day Vulnerability in Windows Secure Boot

CVE-2026-21265 is an Important security feature bypass vulnerability affecting Windows Secure Boot with a CVSS score of 6.4. This vulnerability allows authenticated local attackers with high privileges to bypass security features by exploiting weaknesses in the certificate update mechanism through local access to the system. While it has been publicly disclosed, there is no evidence of active exploitation in the wild. 

Defects in the certificate update mechanism's firmware components could disrupt the Secure Boot trust chain. Successful exploitation requires high attack complexity and could allow attackers to bypass Secure Boot protections. Microsoft has released an official fix and detailed guidance for both Microsoft-managed and IT-managed Windows devices.

Two Critical Vulnerabilities in Microsoft Office

CVE-2026-20952 and CVE-2026-20953 are Critical remote code execution vulnerabilities in Microsoft Office, both with CVSS scores of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting use-after-free conditions in Microsoft Office components. Exploitation requires no user interaction in the worst-case scenario and can be triggered by sending specially crafted malicious emails or links to the target user, with the preview pane serving as an attack vector for both vulnerabilities. In the most severe attack scenario, an attacker could send a specially crafted email without requiring the victim to open the link, resulting in remote code execution on the victim's machine.

Three Critical Vulnerabilities in Microsoft Office Products

CVE-2026-20944 is a Critical remote code execution vulnerability in Microsoft Word with a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting an out-of-bounds read weakness in Microsoft Office Word components. Exploitation requires user interaction: an attacker must send a malicious file and convince the target user to open it, with the preview pane serving as an attack vector for this vulnerability.

CVE-2026-20955 and CVE-2026-20957 are Critical remote code execution vulnerabilities in Microsoft Excel, both with CVSS scores of 7.8. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting an untrusted pointer dereference weakness (CVE-2026-20955) and an integer underflow leading to a heap-based buffer overflow (CVE-2026-20957) in Microsoft Office Excel components. Exploitation requires user interaction; an attacker must send a malicious file and convince the target user to open it. Unlike the Word vulnerability CVE-2026-20944, the preview pane is not an attack vector for either of these Excel vulnerabilities.

A Critical Vulnerability in Windows Graphics

CVE-2026-20822 is a Critical elevation of privilege vulnerability in Windows Graphics Component with a CVSS score of 7.8. This vulnerability allows authenticated attackers with low privileges to elevate to SYSTEM privileges by exploiting a use-after-free condition in the Microsoft Graphics Component. Exploitation requires no user interaction but has high attack complexity, as successful exploitation requires the attacker to win a race condition. In virtualized GPU environments, an attacker who successfully exploits this vulnerability could break out of a virtual machine and gain access to the underlying host system.

Two Critical Vulnerabilities in Windows Security Components

CVE-2026-20854 is a Critical remote code execution vulnerability in Windows Local Security Authority Subsystem Service (LSASS) with a CVSS score of 7.5. This vulnerability allows authenticated attackers with low privileges to execute arbitrary code over a network by exploiting a use-after-free condition (CWE-416) in Windows LSASS. Any authenticated attacker can trigger this vulnerability by modifying certain directory attributes to provide crafted data that causes the system to reference invalid memory during authentication, potentially leading to a crash or remote code execution. Successful exploitation requires high attack complexity, as the attacker must prepare the target environment to improve exploit reliability.

CVE-2026-20876 is a Critical elevation of privilege vulnerability in Windows Virtualization-Based Security (VBS) Enclave with a CVSS score of 6.7. This vulnerability allows attackers who already have administrator access to break into the system's most protected security layer, which is designed to safeguard critical functions like password protection and security features even when the system is compromised. The attack is relatively straightforward to execute and requires no user interaction.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

Learn More

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards.
• Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.