Headline

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.

2 hours ago

HackRead

Open in Source

#vulnerability #windows #microsoft #git #rce #auth #zero_day

Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.

For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.

****Zero-Day Threats and Active Risks****

One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:

CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.

Patches details (Source: Qualys)

Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.

CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full SYSTEM control. Microsoft fixed this by removing the old drivers entirely.

CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.

****Critical Fixes for Office and Windows****

The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.

It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the Preview Pane.

****Insights from Security Researchers****

In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.

The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.

It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild. Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft Patch Tuesday for January 2026 — Snort rules and prominent vulnerabilities