Full Report
8Critical105Important0Moderate0LowMicrosoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.This month’s update includes patches for:Azure Connected Machine AgentAzure Core shared client library for PythonCapability Access Management Service (camsvc)Connected Devices Platform Service (Cdpsvc)Desktop Window ManagerDynamic Root of Trust for Measurement (DRTM)Graphics KernelHost Process for Windows TasksInbox COM ObjectsMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointMicrosoft Office WordPrinter Association ObjectSQL ServerTablet Windows User Interface (TWINUI) SubsystemWindows Admin CenterWindows Ancillary Function Driver for WinSockWindows Client-Side Caching (CSC) ServiceWindows Clipboard ServerWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows DWMWindows Deployment ServicesWindows Error ReportingWindows File ExplorerWindows HTTP.sysWindows HelloWindows Hyper-VWindows InstallerWindows Internet Connection Sharing (ICS)Windows KerberosWindows KernelWindows Kernel MemoryWindows Kernel-Mode DriversWindows LDAP - Lightweight Directory Access ProtocolWindows Local Security Authority Subsystem Service (LSASS)Windows Local Session Manager (LSM)Windows Management ServicesWindows MediaWindows NDISWindows NTFSWindows NTLMWindows Remote AssistanceWindows Remote Procedure CallWindows Remote Procedure Call Interface Definition Language (IDL)Windows Routing and Remote Access Service (RRAS)Windows SMB ServerWindows Secure BootWindows Server Update ServiceWindows ShellWindows TPMWindows Telephony ServiceWindows Virtualization-Based Security (VBS) EnclaveWindows WalletServiceWindows Win32K - ICOMPElevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%.ImportantCVE-2026-20805 | Desktop Window Manager Information Disclosure VulnerabilityCVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.ImportantCVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass VulnerabilityCVE-2026-21265 is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”Microsoft certificates are stored in the Unified Extensible Firmware Interface (UEFI) Key Enrollment Key (also known as Key Exchange or KEK) and DB. These certificates are reaching their expiration date, so these certificates need to be updated to ensure Secure Boot functionality remains and to prevent future issues from arising. The following are the certificates set to expire in 2026:Certificate Authority (CA)Expiration DatePurposeLocationMicrosoft Corporation KEK CA 2011June 24, 2026Signs updates to the DB and DBXKEKMicrosoft Corporation UEFI CA 2011June 27, 2026Signs third party boot loaders, Option ROMs and moreDBMicrosoft Windows Production PCA 2011October 19, 2026Signs the Windows Boot ManagerDBThis vulnerability is considered “Publicly Disclosed” because the information about the expiration and the location of these certificates are public.CriticalCVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution VulnerabilityCVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as "Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.Despite being flagged as “Exploitation Less Likely,” Microsoft notes that the Preview Pane is an attack vector for both vulnerabilities, which means exploitation does not require the target to open the file.ImportantCVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution VulnerabilityCVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.Tenable SolutionsA list of all the plugins released for Microsoft’s January 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's January 2026 Security UpdatesTenable plugins for Microsoft January 2026 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
This summary focuses only on the specific vulnerabilities detailed in the context: CVE-2026-20805, CVE-2026-20871, CVE-2026-21265, CVE-2026-20952, CVE-2026-20953, CVE-2026-20840, and CVE-2026-20922.
---
# Vulnerability: Desktop Window Manager Information Disclosure (Zero-Day)
## CVE Details
- CVE ID: CVE-2026-20805
- CVSS Score: 5.5 (Important)
- CWE: Not explicitly provided, but relates to Information Disclosure.
## Affected Systems
- Products: Desktop Window Manager
- Versions: Not specified (Implied all affected prior to patch).
- Configurations: Requires an authenticated attacker.
## Vulnerability Description
This is an Information Disclosure vulnerability within the Desktop Window Manager. Successful exploitation allows an authenticated attacker to read sensitive data from the system.
## Exploitation
- Status: **Exploited in the wild as a zero-day.**
- Complexity: Authentication required, suggesting Local or Adjacent access needed initially.
- Attack Vector: Local/Authenticated access likely required to initiate the disclosure.
## Impact
- Confidentiality: Potentially high (access to sensitive data).
- Integrity: Low (Information Disclosure, not modification).
- Availability: Low (Information Disclosure, not denial of service).
## Remediation
### Patches
- Microsoft January 2026 Security Update (Specific patch KB not provided).
### Workarounds
- None specified in the provided text. Implement strict access controls until patched.
## Detection
- Detection methods involve scanning for missing updates from the January 2026 release.
- Indicators of compromise would relate to unusual data access patterns originating from the DWM context following successful authentication.
## References
- Vendor advisories: ms.com/update-guide/en-us/releaseNote/2026-Jan (Defanged: ms.com/update-guide/en-us/releaseNote/2026-Jan)
- Relevant links - defanged: tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1
---
# Vulnerability: Desktop Window Manager Elevation of Privilege
## CVE Details
- CVE ID: CVE-2026-20871
- CVSS Score: 7.8 (Important)
- CWE: Not explicitly provided, but relates to EoP.
## Affected Systems
- Products: Desktop Window Manager
- Versions: Not specified.
- Configurations: None specified.
## Vulnerability Description
An Elevation of Privilege (EoP) vulnerability in the Desktop Window Manager. Successful exploitation grants the attacker higher privileges on the system.
## Exploitation
- Status: Not exploited in the wild, but assessed by Microsoft as "Exploitation More Likely."
- Complexity: Authentication required (likely local context).
- Attack Vector: Local.
## Impact
- Confidentiality: Potential increase if higher privileges grant access to restricted information.
- Integrity: High (Ability to modify system state/data).
- Availability: Potential degradation depending on the level of privilege escalation achieved.
## Remediation
### Patches
- Microsoft January 2026 Security Update.
### Workarounds
- None specified.
## Detection
- Detection methods involve scanning for missing updates from the January 2026 release.
## References
- Vendor advisories: ms.com/update-guide/en-us/releaseNote/2026-Jan (Defanged: ms.com/update-guide/en-us/releaseNote/2026-Jan)
- Relevant links - defanged: tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1
---
# Vulnerability: Windows Secure Boot Certificate Expiration (Security Feature Bypass)
## CVE Details
- CVE ID: CVE-2026-21265
- CVSS Score: 6.4 (Important)
- CWE: Security Feature Bypass (Related to certificate management).
## Affected Systems
- Products: Windows Secure Boot (related to UEFI Firmware/Boot Sequence).
- Versions: Systems relying on the expiring Microsoft certificates (KEK and DB entries).
- Configurations: Any system utilizing Secure Boot with these legacy Microsoft certificates.
## Vulnerability Description
This vulnerability is related to the expiration of Microsoft signing certificates stored in the UEFI Key Enrollment Key (KEK) and DB database. If these certificates expire without updating, Secure Boot functionality may cease, leading to a security feature bypass or boot failure. The vulnerability is considered Publicly Disclosed due to the public nature of certificate expiration dates.
## Exploitation
- Status: Publicly Disclosed (Information available, but direct exploitation path described is preventative maintenance).
- Complexity: Less Likely (Microsoft assessment).
- Attack Vector: Pre-boot/Firmware level.
## Impact
- Confidentiality: Low.
- Integrity: Medium (Failure to enforce boot integrity).
- Availability: High potential impact if failure to update prevents system startup or trusted boot chain enforcement.
## Remediation
### Patches
- Microsoft January 2026 Security Update (This update includes necessary certificate changes).
### Workarounds
- None specified; proactive certificate replacement/update via the patch is required.
## Detection
- Detection involves auditing UEFI settings and installed Microsoft signing certificates against expiration dates.
## References
- Vendor advisories: ms.com/update-guide/en-us/releaseNote/2026-Jan (Defanged: ms.com/update-guide/en-us/releaseNote/2026-Jan)
- Relevant links - defanged: tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1
---
# Vulnerability: Microsoft Office Remote Code Execution (Two Flaws)
## CVE Details
- CVE ID: CVE-2026-20952 and CVE-2026-20953 (Grouped due to similar nature)
- CVSS Score: 8.4 (Critical) for both.
- CWE: Not explicitly provided, but related to Remote Code Execution via file handling.
## Affected Systems
- Products: Microsoft Office (Word, Excel, SharePoint components may be implicitly affected).
- Versions: Not specified.
- Configurations: Exploitation can occur simply by having the Preview Pane enabled without opening the file.
## Vulnerability Description
These are critical Remote Code Execution (RCE) vulnerabilities in Microsoft Office. An attacker can exploit this by sending a malicious Office document file to a target. Successful exploitation grants the attacker code execution privileges on the compromised system.
## Exploitation
- Status: Exploitation Less Likely (Microsoft assessment).
- Complexity: Medium (Requires social engineering to deliver the file, but vector is simplified via Preview Pane).
- Attack Vector: Network (via document delivery).
## Impact
- Confidentiality: High.
- Integrity: High (Arbitrary code execution).
- Availability: High (Potential for system compromise/disruption).
## Remediation
### Patches
- Microsoft January 2026 Security Update.
### Workarounds
- Disable the Microsoft Office Preview Pane functionality until patches are applied.
## Detection
- Monitor network traffic for suspicious file deliveries targeting Office applications.
- Scan environments for missing January 2026 security updates.
## References
- Vendor advisories: ms.com/update-guide/en-us/releaseNote/2026-Jan (Defanged: ms.com/update-guide/en-us/releaseNote/2026-Jan)
- Relevant links - defanged: tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1
---
# Vulnerability: Windows NTFS Remote Code Execution (Two Flaws)
## CVE Details
- CVE ID: CVE-2026-20840 and CVE-2026-20922 (Grouped due to similar nature)
- CVSS Score: 7.8 (Important) for both.
- CWE: Heap-based buffer overflow.
## Affected Systems
- Products: Windows NTFS (New Technology File System).
- Versions: Not specified.
- Configurations: Exploitation is possible by any **authenticated attacker**, regardless of privilege level.
## Vulnerability Description
These are RCE vulnerabilities stemming from heap-based buffer overflows in the Windows NTFS driver. Successful exploitation allows an authenticated attacker to execute arbitrary code on the affected system.
## Exploitation
- Status: Exploitation More Likely (Microsoft assessment).
- Complexity: Medium, requires authenticated access.
- Attack Vector: Local or via authenticated network services interacting with NTFS structures.
## Impact
- Confidentiality: High.
- Integrity: High (Arbitrary code execution).
- Availability: High.
## Remediation
### Patches
- Microsoft January 2026 Security Update.
### Workarounds
- None specified. Restrict or carefully monitor system authentication permissions if immediate patching is not possible.
## Detection
- Detection involves scanning for missing updates from the January 2026 release.
- Monitor system integrity when processing files via NTFS by an authenticated user.
## References
- Vendor advisories: ms.com/update-guide/en-us/releaseNote/2026-Jan (Defanged: ms.com/update-guide/en-us/releaseNote/2026-Jan)
- Relevant links - defanged: tenable.com/plugins/search?q=%22January+2026%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1