Microsoft released patches today to address at least 113 security vulnerabilities across its Windows operating systems and associated software. Eight of these flaws were deemed “critical,” and Microsoft indicated that one of the patched bugs is already being actively exploited by attackers.
The zero-day vulnerability addressed in January, identified as CVE-2026-20805, stems from a flaw in the Desktop Window Manager (DWM), a vital Windows component responsible for managing on-screen windows. Kev Breen, senior director of cyber threat research at Immersive, noted that despite a moderate CVSS score of 5.5, Microsoft has confirmed this vulnerability is actively being exploited, suggesting its use by threat actors against various entities.
Breen explained that such vulnerabilities are frequently employed to bypass Address Space Layout Randomization (ASLR), a fundamental operating system security measure intended to prevent buffer overflows and other memory-related exploits.
According to Breen, this vulnerability can expose code locations in memory, allowing it to be combined with another code execution flaw. This combination can turn a complex exploit into a more practical and reliable attack. Microsoft has not specified other components that might be part of such an exploit chain, which restricts defenders’ capacity for proactive threat hunting. Consequently, prompt patching is currently the sole effective defense.
Chris Goettl, vice president of product management at Ivanti, noted that CVE-2026-20805 impacts all supported and extended security update versions of the Windows OS. Goettl advised against underestimating the flaw’s severity based on its “Important” rating and relatively low CVSS score.
He suggested that a risk-based prioritization approach would justify classifying this vulnerability as more severe than its official vendor rating or CVSS score indicates.
This month’s critical patches include two Microsoft Office remote code execution vulnerabilities (CVE-2026-20952 and CVE-2026-20953). These can be exploited simply by viewing a malicious message within the Preview Pane.
A previous Patch Tuesday summary from October 2025 highlighted Microsoft’s removal of a modem driver from all Windows versions due to hackers exploiting a vulnerability within it. Adam Barnett of Rapid7 reported that Microsoft has now removed additional modem drivers from Windows for a similar reason: the company is aware of working exploit code for an elevation of privilege vulnerability in a related modem driver, identified as CVE-2023-31096.
Barnett clarified that this vulnerability, CVE-2023-31096, was initially disclosed through MITRE over two years prior, accompanied by a public write-up from the original researcher. The current Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were created by the same defunct third party and have been part of Windows for decades. While these removals will likely go unnoticed by most users, active modems might still be present in specific environments, such as certain industrial control systems.
Barnett raised two ongoing concerns: the number of legacy modem drivers still existing on fully-patched Windows systems, and how many more elevation-to-SYSTEM vulnerabilities might arise from them before Microsoft fully addresses this class of outdated device drivers that attackers have been exploiting.
Barnett noted that while Microsoft has not confirmed active exploitation for CVE-2023-31096, the 2023 write-up and the 2025 removal of another Agere modem driver have served as significant indicators for those seeking Windows exploits. He also emphasized that a modem does not need to be connected for a system to be vulnerable; the driver’s presence alone is sufficient.
Immersive, Ivanti, and Rapid7 collectively highlighted CVE-2026-21265, a critical Security Feature Bypass vulnerability impacting Windows Secure Boot. This feature, intended to guard against rootkits and bootkits, depends on certificates scheduled to expire in June and October 2026. After these 2011 certificates expire, Windows devices lacking the newer 2023 certificates will cease to receive Secure Boot security updates.
Barnett advised that thorough preparation is crucial when updating the bootloader and BIOS, considering the specific OS and BIOS combination, as incorrect remediation could result in an unbootable system.
Barnett pointed out that while fifteen years is a significant period in information security, the Microsoft root certificates that have signed the Secure Boot ecosystem since the Stuxnet era are nearing expiration. Microsoft released replacement certificates in 2023, along with CVE-2023-24932, which included Windows patches and steps to address the Secure Boot bypass utilized by the BlackLotus bootkit.
Goettl also mentioned that Mozilla has issued updates for Firefox and Firefox ESR, addressing 34 vulnerabilities in total. Two of these, CVE-2026-0891 and CVE-2026-0892, are believed to be under active exploitation. Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Goettl anticipated further updates for Google Chrome and Microsoft Edge this week, in addition to a high-severity vulnerability in Chrome WebView that was patched in the January 6 Chrome update (CVE-2026-0628).
The SANS Internet Storm Center provides a detailed breakdown of each patch by severity and urgency. Windows administrators may also monitor askwoody.com for information regarding any potential compatibility issues with the patches.
