Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.
For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.
Zero-Day Threats and Active Risks
One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:
CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.
Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.
CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full SYSTEM control. Microsoft fixed this by removing the old drivers entirely.
CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.
Critical Fixes for Office and Windows
The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.
It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the Preview Pane.
Insights from Security Researchers
In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.
The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.
It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.