Microsoft’s first security update of 2026 addressed 112 vulnerabilities across its products and systems, including an actively exploited zero-day in Desktop Window Manager.
The latest Patch Tuesday update from the company marks the second consecutive month without critical vulnerabilities. This batch also includes over 110 CVEs, mirroring the previous January’s count.
The zero-day vulnerability, identified as CVE-2026-20805, is an information disclosure flaw with a CVSS rating of 5.5. An unauthorized attacker could exploit it to reveal sensitive information. The Cybersecurity and Infrastructure Security Agency added this defect to its known exploited vulnerabilities catalog on Tuesday.
Information disclosure vulnerabilities are not frequently exploited in the wild, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. He noted in a blog post that memory leaks can be as significant as code execution bugs because they enhance the reliability of remote code executions.
Jack Bicer, director of vulnerability research at Action1, agreed, stating that memory exposed through the exploitation of CVE-2026-20805 could weaken defenses and strengthen other exploits.
Bicer explained in an email that this vulnerability heightens the risk of successful multi-stage attacks. Leaked memory details, when combined with other vulnerabilities, could lead to privilege escalation or data theft, potentially resulting in wider system compromise, regulatory issues, and a loss of trust.
Microsoft did not disclose the number of attacks associated with the zero-day. However, exploitation necessitates an attacker having local access to the targeted system, as noted by Satnam Narang, senior staff research engineer at Tenable.
Narang added that while Desktop Window Manager frequently appears on Patch Tuesday, with 20 CVEs patched in this library since 2022, this marks the first instance of an information disclosure bug in this component being exploited in the wild. Attackers have historically leveraged it for privilege escalation.
Among the most severe defects revealed by Microsoft this month are CVE-2026-20947 and CVE-2026-20963, impacting Microsoft Office SharePoint; CVE-2026-20868, affecting Windows Routing and Remote Access Service; CVE-2026-20952 and CVE-2026-20955, affecting Microsoft Office; and CVE-2026-20944, affecting Microsoft Office Word.
Microsoft also identified eight vulnerabilities, each with a CVSS rating of 7.8, as having a higher likelihood of exploitation this month.
The complete list of vulnerabilities addressed this month can be found in Microsoft’s Security Response Center.
