Microsoft’s January 2026 Patch Tuesday Fixes Two Actively Exploited Zero-Day Flaws

Microsoft has released the January 2026 Patch Tuesday updates for all supported versions of Windows 11. This release brings fixes for 112 new vulnerabilities across Windows, Office, Azure, SharePoint Server, SQL Server, SMB Server, and other components.

On the quality and experience updates front, this month’s Patch Tuesday updates introduce several notable changes across Windows versions, including the removal of legacy modem drivers, updates to Secure Boot certificate deployment, enhancements to power management on NPU‑equipped devices, and fixes for networking issues in WSL and Azure Virtual Desktop.

112 vulnerabilities fixed with the January 2026 Patch Tuesday updates

Among the 112 vulnerabilities that Microsoft fixed this month, 8 are rated “Critical” while the rest are rated Important in severity. There is also one security flaw that is already being exploited by attackers.

Let’s take a closer look at some of the most important vulnerabilities Microsoft fixed this month:

• CVE-2026-20805: This is an information disclosure vulnerability in the Desktop Window Manager that lets hackers leak memory addresses through a remote ALPC port. This medium-severity flaw (CVSS score: 5.5) is already being exploited by hackers and increases the risk of successful multi-stage attacks.
• CVE-2026-21265: This is a Secure Boot certificate expiration bypass vulnerability with a CVSS score of 6.4. Microsoft notified customers about the certificate expiration back in June 2025. The company has provided a deployment playbook to help IT professionals prepare for the Secure Boot certificates’ expiration in June of this year.
• CVE-2026-20952 and CVE-2026-20953: These critical security vulnerabilities that affect Microsoft Office carry a CVSS score of 8.4. Hackers could exploit the flaws to execute arbitrary code locally without requiring privileges or any user interaction.
• CVE-2023-31096: This is a 7.8-rated elevation of privilege flaw in the Windows Agere Soft Modem Driver. The driver reached end of support in 2016, and it has been removed entirely from affected Windows systems with the January 2026 update.
• CVE-2026-20840 and CVE-2026-20922: These two remote code execution (RCE) vulnerabilities exist in Windows NTFS. The buffer overflow flaws enable attackers with unauthorized access to the system to run arbitrary code locally on the victim’s machine.
• CVE-2026-20876: This is an elevation of privilege flaw affecting Windows Virtualization-Based Security Enclave that could allow attackers to gain SYSTEM-level access. A successful exploit could allow an attacker to bypass security controls, establish persistence, and evade detection.
• CVE-2026-20854: This is a remote code execution flaw in the Windows Local Security Authority Subsystem Service. It could be exploited by cybercriminals to steal credentials, move laterally across networks, and potentially compromise an entire domain.

You can find below the full list of CVEs released by Microsoft for January 2026:

Quality and experience updates

On Windows 11 versions 25H2 and 24H2, Microsoft has addressed an issue where mirrored networking in Windows Subsystem for Linux (WSL) could fail, causing “No route to host” errors. This bug could prevent access to corporate resources over VPN connections, even when the Windows host remained connected. The KB5074109 update also fixes an issue that triggers RemoteApp connection failures in Azure Virtual Desktop (AVD) environments.

Additionally, Microsoft has also introduced a change where Windows Deployment Services (WDS) will no longer support hands-free deployment functionality by default. This release also fixes a bug that causes devices with an NPU to stay powered on when idle. Microsoft says this issue could affect power performance on Windows systems.

Lastly, the KB5074109 update also removes a couple of modem drivers, including the agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64) and smserial.sys (x86). Microsoft has warned that modems dependent on these specific drivers will stop working on Windows 11 PCs.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary, as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.