Microsoft’s January 2026 updates fix 114 vulnerabilities, with several remote code execution bugs rated critical across Office applications and Windows services such as LSASS.
This Patch Tuesday addresses critical remote code execution flaws and numerous elevation of privilege issues that could enable attackers to compromise systems.
| Vulnerability Type | Count |
|---|---|
| Remote Code Execution | 22 |
| Denial of Service | 2 |
| Elevation of Privilege | 57 |
| Information Disclosure | 22 |
| Security Feature Bypass | 3 |
| Spoofing | 5 |
| Tampering | 3 |
| Total | 114 |
The release includes 12 critical CVEs and over 90 important CVEs, primarily elevation-of-privilege flaws in kernel drivers and management services.
Zero-Day Vulnerabilities
CVE-2026-20805 involves Desktop Windows Manager flaws exposing information, rated high by researchers. CVE-2026-21265 targets digital media handling for privilege gains, common in chained attacks. CVE-2023-31096 appears as a backported or related fix in the cumulative updates.
| CVE ID | Component | Type | Severity | Key Notes |
|---|---|---|---|---|
| CVE-2026-20805 | Desktop Windows Manager | Information Disclosure | Important (High per Check Point) | Allows unauthorized access to sensitive data; patched January 13, 2026 |
| CVE-2026-21265 | Windows Digital Media | Elevation of Privilege | Not specified | Enables local privilege escalation |
| CVE-2023-31096 | Unknown (legacy) | Zero-day (contextual) | Not specified | Included in January 2026 updates despite earlier assignment |
Critical Vulnerabilities
Several critical remote code execution vulnerabilities stand out, including CVE-2026-20854 in Windows LSASS, stemming from a use-after-free error exploitable over networks.
The Office suite faces multiple threats: CVE-2026-20944 (Word out-of-bounds read), CVE-2026-20953 and CVE-2026-20952 (use-after-free), and CVE-2026-20955 and CVE-2026-20957 (Excel pointer issues and integer underflow).
Additional critical elevation-of-privilege bugs affect the Graphics Component (CVE-2026-20822) and the VBS Enclave (CVE-2026-20876), both of which exhibit use-after-free vulnerabilities locally.
| CVE ID | Affected Component | Description Summary | Severity |
|---|---|---|---|
| CVE-2026-20854 | Windows LSASS | Use-after-free RCE | Critical |
| CVE-2026-20944 | Microsoft Word | Out-of-bounds read RCE | Critical |
| CVE-2026-20953 | Microsoft Office | Use-after-free RCE | Critical |
Windows components dominate the most critical-rated issues, with over 30 elevation-of-privilege flaws in services such as Management Services, SMB Server, and Win32k, often via race conditions or use-after-free. Information disclosure bugs in File Explorer and VBS round out notable risks.
Deploy updates starting with internet-facing systems like WSUS (CVE-2026-20856) and SMB servers, then Office endpoints. Test in staging environments due to potential regressions in drivers like Cloud Files Mini Filter. Enable automatic updates for consumer devices and monitor CISA KEV for any rapid additions, as zero-days heighten urgency.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
