Microsoft January 2026 Patch Tuesday Addresses 114 Security Flaws Including Three Zero-Days

Microsoft released its January 2026 Patch Tuesday security updates on January 14, addressing a substantial 114 vulnerabilities across its product portfolio, including one actively exploited zero-day vulnerability and two additional publicly disclosed zero-days. The updates also tackle eight “Critical” severity vulnerabilities, highlighting the persistent security challenges facing Windows users and enterprise IT departments as cyber threats continue to evolve.

Overview of the January 2026 Patch Tuesday

The January 2026 release represents one of the more significant Patch Tuesday updates in recent months, both in terms of the sheer number of vulnerabilities addressed and the severity of several key flaws. Of the 114 total vulnerabilities patched, eight are rated “Critical”—six remote code execution flaws and two elevation-of-privilege vulnerabilities that could allow attackers to gain higher access privileges on compromised systems.

The vulnerability breakdown by category includes:

• Remote Code Execution: Multiple flaws that could allow attackers to execute arbitrary code on target systems
• Elevation of Privilege: Vulnerabilities enabling attackers to gain higher permission levels
• Information Disclosure: Flaws that could expose sensitive data to unauthorized parties
• Denial of Service: Issues that could allow attackers to crash systems or services
• Security Feature Bypass: Vulnerabilities that circumvent security protections

It’s important to note that these 114 vulnerabilities represent only those released by Microsoft specifically on Patch Tuesday. The count does not include one Microsoft Edge vulnerability fixed earlier in January, nor does it include vulnerabilities in Microsoft’s Mariner Linux distribution that were patched separately. For users tracking cumulative updates, Windows 11 users should install KB5074109 and KB5073455, while Windows 10 users receiving extended security updates need KB5073724.

The Actively Exploited Zero-Day: CVE-2026-XXXXX

The most concerning vulnerability in this month’s batch is an information disclosure flaw in the Desktop Window Manager (DWM) that Microsoft confirms has been actively exploited in the wild. Desktop Window Manager is a core Windows component responsible for visual effects including transparent windows, live taskbar thumbnails, and the overall compositing of the Windows desktop.

According to Microsoft’s advisory, the vulnerability allows “exposure of sensitive information to an unauthorized actor in Desktop Windows Manager” and enables “an authorized attacker to disclose information locally.” Successful exploitation allows attackers to read memory addresses associated with remote ALPC (Advanced Local Procedure Call) ports, which are used for inter-process communication within Windows.

“The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory,” Microsoft’s security bulletin explains. While this information disclosure might seem abstract, memory addresses can be leveraged in sophisticated attack chains to bypass security protections like Address Space Layout Randomization (ASLR), potentially enabling more serious follow-on attacks.

Microsoft attributes the discovery of this vulnerability to the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), but has not publicly disclosed how the flaw was being exploited in the wild, which threat actors were responsible, or how many systems may have been compromised. This level of operational security is typical for actively exploited vulnerabilities, as sharing too many details could enable additional attacks before organizations have time to deploy patches.

The company classifies a vulnerability as a “zero-day” if it has been either publicly disclosed or actively exploited while no official patch is available. The January 2026 Patch Tuesday eliminates the zero-day status of this vulnerability by providing the official fix, but organizations that haven’t yet deployed the update remain vulnerable to exploitation.

Two Additional Publicly Disclosed Zero-Days

Beyond the actively exploited vulnerability, Microsoft also patched two additional zero-day vulnerabilities that were publicly disclosed but have not yet been observed being exploited in the wild. While Microsoft has not released detailed technical information about these vulnerabilities at the time of this reporting, publicly disclosed zero-days represent a significant risk because knowledge of the vulnerability is already available to potential attackers, even if exploitation hasn’t yet been observed.

Security researchers sometimes publicly disclose vulnerabilities through coordinated disclosure processes with vendors, academic papers, or conference presentations. In other cases, information about vulnerabilities may leak through underground forums or be reverse-engineered from security products that have implemented detections for exploitation attempts.

The rapid patching of these publicly disclosed vulnerabilities is critical because the window between public disclosure and widespread exploitation can be measured in days or even hours once malicious actors become aware of the technical details. Organizations should prioritize these zero-days alongside the actively exploited vulnerability when planning their patch deployment schedules.

Critical Remote Code Execution Vulnerabilities

Among the eight Critical-severity vulnerabilities patched in January 2026, six are remote code execution (RCE) flaws that could allow attackers to run arbitrary code on vulnerable systems. Remote code execution vulnerabilities are particularly dangerous because they can often be exploited over a network without requiring prior authentication or user interaction, depending on the specific characteristics of each flaw.

While Microsoft has not released detailed technical information about all eight Critical vulnerabilities, RCE flaws typically affect:

• Network services and protocols
• File parsing and document handling
• Web browsers and rendering engines
• Remote desktop and remote management tools
• Authentication and security subsystems

These types of vulnerabilities have historically been favorites of both sophisticated nation-state actors and cybercriminal groups because successful exploitation can provide an initial foothold into target networks without requiring the victim to take any action beyond having their system accessible on a network.

The two Critical elevation-of-privilege vulnerabilities are also significant, as they could allow an attacker who has already gained limited access to a system to escalate their privileges to administrator or SYSTEM level, enabling them to disable security tools, steal credentials, install persistent backdoors, or move laterally to other systems on the network.

Driver Removal and Deprecation

In addition to the security fixes, Microsoft announced the removal of two legacy drivers—agrsm64.sys and agrsm.sys—which were eliminated in the January 2026 cumulative update. “This is an announcement of the removal of agrsm64.sys and agrsm.sys drivers. The drivers have been removed in the January 2026 cumulative update,” Microsoft stated in the patch notes.

Microsoft credits the security researcher Zeze with TeamT5 for this change, suggesting the drivers posed security risks that warranted their complete removal rather than patching. Legacy drivers often accumulate in Windows over decades of backward compatibility support, but they can introduce security vulnerabilities, especially when they have privileged kernel-level access to the system. The removal of outdated drivers as part of Patch Tuesday updates is an ongoing effort to reduce Windows’ attack surface.

Third-Party Vendor Updates

Several other technology vendors coordinated their security updates with Microsoft’s Patch Tuesday, including:

Adobe released security updates for multiple products including InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Substance 3D Stager, Substance 3D Painter, Substance 3D Sampler, ColdFusion, and Substance 3D Designer. Adobe’s creative software suite is widely used in enterprise environments, making timely patching essential for organizations in media, marketing, and design sectors.

Cisco released security updates for its Identity Services Engine (ISE), addressing a vulnerability with a public proof-of-concept exploit code already available. Public proof-of-concept exploits significantly accelerate the timeline for weaponization, as attackers can simply adapt existing code rather than developing exploits from scratch.

Fortinet released security updates for multiple products, including fixes for two remote code execution vulnerabilities. Given Fortinet’s widespread use in enterprise network security infrastructure, these patches are particularly critical for organizations relying on FortiGate firewalls and other Fortinet security appliances.

D-Link confirmed that a newly discovered actively exploited vulnerability impacts end-of-life routers. This announcement highlights the risks posed by unsupported hardware still deployed in many home and small business environments. End-of-life devices no longer receive security updates, making them attractive targets for attackers seeking to compromise networks.

Google released Android’s January 2026 security bulletin, which includes a fix for one critical vulnerability affecting Dolby Digital Plus codecs. The bulletin specifically mentions a “DD+ Codec” flaw impacting Dolby components, which could potentially allow for arbitrary code execution through specially crafted media files.

Deployment Recommendations

For enterprise IT departments and system administrators, the January 2026 Patch Tuesday requires careful but rapid deployment planning:

1. Priority One: Actively Exploited Zero-Day – The Desktop Window Manager information disclosure vulnerability should be patched immediately on all Windows systems, particularly those accessible from the internet or in high-security environments.
2. Priority Two: Publicly Disclosed Zero-Days – The two additional zero-day vulnerabilities warrant rapid deployment, as public disclosure significantly increases exploitation risk.
3. Priority Three: Critical Remote Code Execution Flaws – The six Critical RCE vulnerabilities should be patched within standard emergency patch windows, typically 48-72 hours for internet-facing systems and within a week for internal systems.
4. Standard Deployment: Remaining Vulnerabilities – The other 103 vulnerabilities should be deployed according to normal patch management schedules, typically within 30 days.

Organizations should test patches in staging environments before production deployment, but the presence of an actively exploited zero-day may justify expedited deployment with limited testing for critical systems. As always, maintaining current backups before deploying patches is essential to enable rapid rollback if problems occur.

For home users and small businesses without dedicated IT staff, Windows Update should be configured to install updates automatically to ensure timely protection against these vulnerabilities. The January 2026 Patch Tuesday updates will be automatically downloaded and installed on systems with automatic updates enabled, typically requiring a restart to complete installation.