BLOG Featured Recent Video Category Start Free Trial January 2026 Patch Tuesday: 114 CVEs Patched Including 3 Zero-Days January 13, 2026 | Falcon Exposure Management Team | Exposure Management Microsoft has addressed 114 vulnerabilities in its January 2026 security update release, including 112 newly patched CVEs and 2 updated advisories. This month's update addresses one actively exploited Important vulnerability, two publicly disclosed Important vulnerabilities, and eight Critical vulnerabilities, along with 103 additional CVEs of varying severity levels. January 2026 Risk Analysis This month's leading risk types by exploitation technique are elevation of privilege with 57 patches (50%), remote code execution (RCE) with 22 patches (19%), and information disclosure with 22 patches (19%). Figure 1. Breakdown of January 2026 Patch Tuesday exploitation techniques Microsoft Windows received the most patches this month with 93, followed by Microsoft Office with 16. Figure 2. Breakdown of product families affected by January 2026 Patch Tuesday Actively Exploited Zero-Day Vulnerability in Windows Desktop Window Manager CVE-2026-20805 is an Important information disclosure vulnerability affecting Windows Desktop Window Manager with a CVSS score of 5.5. Microsoft has confirmed this vulnerability is being actively exploited in the wild. The vulnerability allows local attackers with basic user privileges to access sensitive system memory addresses through Windows internal communication channels. This information can help attackers bypass security protections or enable more sophisticated attacks. The vulnerability is easy to exploit, requiring only local access with no user interaction, and affects multiple versions of Windows 10, Windows 11, and Windows Server systems. Table 1. Important actively exploited zero-day vulnerability in Windows Desktop Window Manager Severity CVSS Score CVE Description Important 5.5 CVE-2026-20805 Desktop Window Manager Information Disclosure Vulnerability Publicly Disclosed Zero-Day Vulnerability in Windows Agere Soft Modem CVE-2023-31096 is an Important elevation of privilege vulnerability affecting Windows Agere Soft Modem drivers with a CVSS score of 7.8. While it has been publicly disclosed, there is no evidence of exploitation in the wild. This vulnerability enables authenticated local attackers with low-level privileges to escalate to SYSTEM-level access through a stack-based buffer overflow in Agere Soft Modem drivers. Successful exploitation allows attackers to gain complete control over affected Windows systems. Microsoft has addressed this vulnerability by removing the Agere Soft Modem drivers in the January 2026 cumulative update. As a result, soft modem hardware dependent on these drivers will no longer function on Windows. Table 2. Important publicly disclosed zero-day vulnerability in Windows Agere Soft Modem Severity CVSS Score CVE Description Important 7.8 CVE-2023-31096 Agere Soft Modem Driver Elevation of Privilege Vulnerability Publicly Disclosed Zero-Day Vulnerability in Windows Secure Boot CVE-2026-21265 is an Important security feature bypass vulnerability affecting Windows Secure Boot with a CVSS score of 6.4. This vulnerability allows authenticated local attackers with high privileges to bypass security features by exploiting weaknesses in the certificate update mechanism through local access to the system. While it has been publicly disclosed, there is no evidence of active exploitation in the wild. Defects in the certificate update mechanism's firmware components could disrupt the Secure Boot trust chain. Successful exploitation requires high attack complexity and could allow attackers to bypass Secure Boot protections. Microsoft has released an official fix and detailed guidance for both Microsoft-managed and IT-managed Windows devices. Table 3. Important publicly disclosed zero-day vulnerability in Windows Secure Boot Severity CVSS Score CVE Description Important 6.4 CVE-2026-21265 Secure Boot Certificate Expiration Security Feature Bypass Vulnerability Two Critical Vulnerabilities in Microsoft Office CVE-2026-20952 and CVE-2026-20953 are Critical remote code execution vulnerabilities in Microsoft Office, both with CVSS scores of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting use-after-free conditions in Microsoft Office components. Exploitation requires no user interaction in the worst-case scenario and can be triggered by sending specially crafted malicious emails or links to the target user, with the preview pane serving as an attack vector for both vulnerabilities. In the most severe attack scenario, an attacker could send a specially crafted email without requiring the victim to open the link, resulting in remote code execution on the victim's machine. Table 4. Critical vulnerabilities in Microsoft Office Severity CVSS Score CVE Description Critical 8.4 CVE-2026-20952 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 CVE-2026-20953 Microsoft Office Remote Code Execution Vulnerability Three Critical Vulnerabilities in Microsoft Office Products CVE-2026-20944 is a Critical remote code execution vulnerability in Microsoft Word with a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting an out-of-bounds read weakness in Microsoft Office Word components. Exploitation requires user interaction: an attacker must send a malicious file and convince the target user to open it, with the preview pane serving as an attack vector for this vulnerability. CVE-2026-20955 and CVE-2026-20957 are Critical remote code execution vulnerabilities in Microsoft Excel, both with CVSS scores of 7.8. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting an untrusted pointer dereference weakness (CVE-2026-20955) and an integer underflow leading to a heap-based buffer overflow (CVE-2026-20957) in Microsoft Office Excel components. Exploitation requires user interaction; an attacker must send a malicious file and convince the target user to open it. Unlike the Word vulnerability CVE-2026-20944, the preview pane is not an attack vector for either of these Excel vulnerabilities. Table 5. Critical vulnerabilities in Microsoft Office Products Severity CVSS Score CVE Description Critical 8.4 CVE-2026-20944 Microsoft Word Remote Code Execution Vulnerability Critical 7.8 CVE-2026-20955 Microsoft Excel Remote Code Execution Vulnerability Critical 7.8 CVE-2026-20957 Microsoft Excel Remote Code Execution Vulnerability A Critical Vulnerability in Windows Graphics CVE-2026-20822 is a Critical elevation of privilege vulnerability in Windows Graphics Component with a CVSS score of 7.8. This vulnerability allows authenticated attackers with low privileges to elevate to SYSTEM privileges by exploiting a use-after-free condition in the Microsoft Graphics Component. Exploitation requires no user interaction but has high attack complexity, as successful exploitation requires the attacker to win a race condition. In virtualized GPU environments, an attacker who successfully exploits this vulnerability could break out of a virtual machine and gain access to the underlying host system. Table 6. Critical vulnerability in Windows Graphics Severity CVSS Score CVE Description Critical 7.8 CVE-2026-20822 Windows Graphics Component Elevation of Privilege Vulnerability Two Critical Vulnerabilities in Windows Security Components CVE-2026-20854 is a Critical remote code execution vulnerability in Windows Local Security Authority Subsystem Service (LSASS) with a CVSS score of 7.5. This vulnerability allows authenticated attackers with low privileges to execute arbitrary code over a network by exploiting a use-after-free condition (CWE-416) in Windows LSASS. Any authenticated attacker can trigger this vulnerability by modifying certain directory attributes to provide crafted data that causes the system to reference invalid memory during authentication, potentially leading to a crash or remote code execution. Successful exploitation requires high attack complexity, as the attacker must prepare the target environment to improve exploit reliability. CVE-2026-20876 is a Critical elevation of privilege vulnerability in Windows Virtualization-Based Security (VBS) Enclave with a CVSS score of 6.7. This vulnerability allows attackers who already have administrator access to break into the system's most protected security layer, which is designed to safeguard critical functions like password protection and security features even when the system is compromised. The attack is relatively straightforward to execute and requires no user interaction. Table 7. Critical vulnerabilities in Windows Security Components Severity CVSS Score CVE Description Critical 7.5 CVE-2026-20854 Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability Critical 6.7 CVE-2026-20876 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability Patch Tuesday Dashboard in the Falcon Platform For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities. Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at