If you were hoping for a quiet start to the new year, Microsoft has other plans.
The January 2026 Patch Tuesday is here, and it marks a heavy start to the year for system administrators. Microsoft has addressed a massive 114 vulnerabilities across its ecosystem, including eight critical flaws and a zero-day that require immediate attention.
While Microsoft released a large number of patches for its operating systems and services, it is CVE-2026-20805 that requires immediate attention. It is an actively exploited zero-day vulnerability in the Desktop Windows Manager (DWM) that is being used by threat actors to bypass security controls.
Add to that a “no-click” remote code execution flaw in Microsoft Office that is triggered by using the preview pane, it is clear that administrators have their hands full in the coming days to address these and others.
Beyond the security fixes, this month also brings some significant housekeeping: Microsoft is officially purging legacy Agere modem drivers from Windows images, marking the end of the road for decades-old hardware dependencies.
The January 2026 Patch Day overview
Executive Summary
- Release Date: January 13, 2026
- Total Vulnerabilities: 114
- Critical Vulnerabilities: 8
- Zero-Days (Actively Exploited): 1 (Desktop Window Manager)
- Key Action Item: Administrators should prioritize patching CVE-2026-20805 (DWM) immediately, as it is being used in the wild to bypass security controls.
Important Patches
- CVE-2026-20805 — Desktop Window Manager Information Disclosure Vulnerability
- CVE-2026-21265 — Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
- CVE-2026-20952 — Microsoft Office Remote Code Execution Vulnerability
- CVE-2026-20953 — Microsoft Office Remote Code Execution Vulnerability
- CVE-2023-31096 — MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability
Cumulative Updates
| Product, Version | KB Article | Notes |
| Windows 10, Version 22H2 | KB5073724 | ESU Only. Security updates. Removes old modem drivers (Agere). |
| Windows 11, Version 24H2 | KB5074109 | Security updates and non-security changes. Removes old modem drivers (Agere). |
| Windows 11, Version 25H2 | KB5074109 | Security updates and non-security changes. Removes old modem drivers (Agere). |
Deep Dive: The Critical Vulnerabilities
While the total count of vulnerabilities is high, administrators may want to focus their attention on three specific issues: a zero-day vulnerability that is exploited in the wild, “no-click” Microsoft Office exploits, and a major issue affecting in Secure Boot.
The Zero-Day: CVE-2026-20805 (actively exploited)
CVE-2026-20805 is an Information Disclosure vulnerability that allows a threat actor to read specific memory addresses from remote ALPC ports. While this does not allow the actors to run malicious code directly, attackers may exploit the vulnerability to bypass Address Space Layout Randomization (ASLR).
This may enable them to create other remote code execution exploits that target system components directly.
The “No-Click” Microsoft Office issue
CVE-2026-20952 and CVE-2026-20953 are use-after-free vulnerabilities that allow remote code execution. The danger comes from the fact that they do not require user interaction for execution.
They rely on preview panes, either in File Explorer or Outlook, to trigger exploits. An attacker would have to get a specially crafted Office document on the user’s computer. When a user views the file in a preview area, for example by selecting it in File Explorer, the exploit triggers.
The Secure Boot bypass
CVE-2026-21265 describes a Secure Boot issue. It is not a bug in code that can be exploited, but a cryptographic expiration issue. Secure Boot certificates issued in 2011 are set to expire later this year.
Installation of this update rotates the certificates ensuring that devices will continue to boot and won’t fail to boot once the old certificates expire.
Significant changes
Microsoft removes drivers for legacy Agere modems from Windows with this update. The modems have not been manufactured for a long time and the main reason for removal is a vulnerability CVE-2023-31096. Instead of patching the driver, Microsoft decided to remove the driver from Windows instead.
The removal affects Enterprise and industrial users for the most part. It can affect point-of-sale terminals or legacy fax servers that rely on Agere modem chipsets. These will no longer work when the update is applied.
A quick check of the Device Manager should reveal whether “Agere Systems” or “LSI” models are used.
WDS Hardening enters first phase
This is only relevant if Windows Deployyment Services (WDS) is used. Microsoft is hardening WDS. The company introduces new event logging and Registry controls to block unauthenticated deployment requests.
Starting this month, logging is enabled. Administrators may enforce the block, but it is not enabled by default. From April 2026 onward, Microsoft plans to enable “block by default”.
Companies that rely on unauthenticated imaging have until April 2026 to switch to authenticated deployment. There is also a new AllowHandsFreeFunctionality Registry key, which enables the old status quo.
First Steps: Your Patch Tuesday Strategy
- Patch the Zero-Day issue that is exploited in the wild immediately.
- Deploy updates to mitigate the “no-click” vulnerability in Microsoft Office.
- Make sure legacy modem hardware is not in use anymore.
- Ensure that boot loaders are updated before certificates expire.
Rather slow via Settings, but the updates all installed on five computers. No issues so far. Thanks for the news.
[Recently, WAU Manager by Carifred has been a self-defeating tool. It really screws a Chrome and Team Viewer update and is now failing with Windows Updates. It used to be a trusted piece of software. It was worth the time to email the developer to let him know.
PatchMyPc and Uniget for program updates–it’s great how the developers have the programs plug in to the Startup folder, so one has programs running at boot that are unwanted. Gosh, don’t even like to run them because I have to go in and delete the values after updating.
“Installation of this update rotates the certificates ensuring that devices will continue to boot and won’t fail to boot once the old certificates expire”. This revelation worries me because I used Steve Gibson’s “InControl” app to halt updates to Windows 11 22h2. At the time, it was all those new features which I didn’t want, especially “Recall” because of its security implications.
But I’m thinking now that I’ll have to consider doing some catching up if there’s no other way to bypass this Secure Boot issue.
Forgive me for posting this here now, but there wasn’t enough time left on the Edit function to change my previous post.
Anyway, I just checked the Secalerts site to see if there’s a patch available to address the CVE-2026-21265 Secure Boot bypass vulnerability for Windows 11 22h2, but it doesn’t appear on their site at all. Here’s the link to their site: https://secalerts.co/vulnerability/CVE-2026-21265
So does this imply that Win 11 22h2 isn’t vulnerable to this bug because the Secure Boot certificates issued in 2011 haven’t been installed on my machine, or am I just not understanding the issue?