Microsoft Patch Tuesday January 2026 is a big one. This month’s update fixes 112 security vulnerabilities across Windows, Microsoft Office, SharePoint, and several core Windows components. More importantly, it includes three zero-day vulnerabilities, along with multiple critical remote code execution (RCE) and privilege escalation flaws.
For organizations and IT teams, this is not a “patch later” update. Several of the issues affect authentication services, file sharing, update infrastructure, and Office documents areas attackers actively target.
What Changed in January 2026?
Here’s a quick snapshot of what Microsoft fixed:
- 112 total vulnerabilities
- 3 zero-days
- 12 critical vulnerabilities
- The majority are Elevation of Privilege (EoP) issues
Vulnerability Breakdown
| Type | Count |
|---|---|
| Elevation of Privilege | 57 |
| Remote Code Execution | 22 |
| Information Disclosure | 22 |
| Spoofing | 5 |
| Security Feature Bypass | 3 |
| Tampering | 3 |
| Denial of Service | 2 |
In simple terms: attackers could combine these bugs to break in, move around, and fully take over systems.
Zero-Day Vulnerabilities You Should Know About
CVE-2026-20805 – Desktop Window Manager
This bug allows attackers to leak sensitive information from memory. While Microsoft rated it as “Important,” independent researchers flagged it as high risk, especially in targeted attacks.
CVE-2026-21265 – Windows Digital Media
This is a privilege escalation flaw that lets an attacker go from a low-privileged user to higher system access. These types of bugs are commonly used after phishing or malware infections.
CVE-2023-31096 – Legacy Driver Issue
Although this CVE was originally assigned years ago, Microsoft included a fix in January 2026 updates. That usually means new exploitation activity or renewed attacker interest.
Zero-days are dangerous because attackers may already know about them. That’s why these fixes matter more than the numbers suggest.
Critical Remote Code Execution Risks
LSASS Remote Code Execution (CVE-2026-20854)
LSASS is responsible for authentication and credential handling. A remote code execution flaw here is serious—it can lead to:
- Credential theft
- Lateral movement
- Full domain compromise
Any vulnerability touching LSASS should be treated as urgent.
Microsoft Patch Tuesday January 2026 CVE List
| CVE ID | Affected Component | Vulnerability Type |
|---|---|---|
| CVE-2026-20805 | Desktop Window Manager | Information Disclosure |
| CVE-2026-21265 | Windows Digital Media | Elevation of Privilege |
| CVE-2023-31096 | Windows Agere Soft Modem Driver | Elevation of Privilege |
| CVE-2026-20854 | Windows LSASS | Remote Code Execution |
| CVE-2026-20944 | Microsoft Word | Remote Code Execution |
| CVE-2026-20953 | Microsoft Office | Remote Code Execution |
| CVE-2026-20952 | Microsoft Office | Remote Code Execution |
| CVE-2026-20955 | Microsoft Excel | Remote Code Execution |
| CVE-2026-20957 | Microsoft Excel | Remote Code Execution |
| CVE-2026-20822 | Windows Graphics Component | Elevation of Privilege |
| CVE-2026-20876 | Windows VBS Enclave | Elevation of Privilege |
| CVE-2026-20856 | Windows Server Update Services (WSUS) | Remote Code Execution |
| CVE-2026-20803 | Microsoft SQL Server | Elevation of Privilege |
| CVE-2026-20965 | Windows Admin Center | Elevation of Privilege |
| CVE-2026-20804 | Windows Hello | Tampering |
| CVE-2026-20808 | Windows File Explorer | Elevation of Privilege |
| CVE-2026-20809 | Windows Kernel Memory | Elevation of Privilege |
| CVE-2026-20810 | WinSock Driver | Elevation of Privilege |
| CVE-2026-20811 | Win32k | Elevation of Privilege |
| CVE-2026-20812 | LDAP | Tampering |
| CVE-2026-20814 | DirectX Graphics Kernel | Elevation of Privilege |
| CVE-2026-20815 | Capability Access Management Service | Elevation of Privilege |
| CVE-2026-20816 | Windows Installer | Elevation of Privilege |
| CVE-2026-20817 | Windows Error Reporting Service | Elevation of Privilege |
| CVE-2026-20818 | Windows Kernel | Information Disclosure |
| CVE-2026-20819 | Windows VBS | Information Disclosure |
| CVE-2026-20820 | Common Log File System | Elevation of Privilege |
| CVE-2026-20821 | Remote Procedure Call | Information Disclosure |
| CVE-2026-20919 | Windows SMB Server | Elevation of Privilege |
| CVE-2026-20921 | Windows SMB Server | Elevation of Privilege |
| CVE-2026-20927 | Windows SMB Server | Denial of Service |
| CVE-2026-20922 | Windows NTFS | Remote Code Execution |
| CVE-2026-20951 | Microsoft SharePoint Server | Remote Code Execution |
| CVE-2026-20963 | Microsoft SharePoint Server | Remote Code Execution |
| CVE-2026-20959 | Microsoft SharePoint Server | Spoofing |
| CVE-2026-21226 | Azure Core Python Client Library | Remote Code Execution |
CVE details are based on Microsoft’s 14 January 2026 Security Update Guide (MSRC) and may be updated as advisories are revised. Read for latest release here
Microsoft Office: High-Risk Entry Point Again
Microsoft patched several critical RCE flaws in Word and Excel. These bugs can be triggered simply by opening a malicious document.
Affected issues include:
- Out-of-bounds reads
- Use-after-free bugs
- Pointer and integer handling errors
This is why email-based attacks and phishing campaigns remain effective. Users don’t need to click links—opening a file can be enough.
Elevation of Privilege: The Real Story This Month
More than half of the patched vulnerabilities are privilege escalation bugs. These don’t usually get flashy headlines, but they are extremely valuable to attackers.
Affected components include:
- Windows kernel and Win32k
- SMB Server
- Management Services
- Virtualization-Based Security (VBS)
- Graphics and DirectX components
Once attackers gain limited access, these bugs help them become SYSTEM, disable defenses, and deploy ransomware.
Servers and Enterprise Infrastructure at Risk
Some of the most concerning issues affect enterprise-grade services, including:
- Windows Server Update Services (WSUS)
- SMB file servers
- NTFS
- SharePoint Server
If these systems are internet-facing, they should be patched immediately.
Patch Carefully, but Don’t Delay
Microsoft has warned about potential issues with certain drivers, such as the Cloud Files Mini Filter. That means testing is important—but waiting too long is riskier.
Best approach:
- Test in a small staging group
- Roll out quickly to critical systems
- Monitor authentication, file access, and update services after patching
How to Prioritize Patching
If you can’t patch everything at once, start here:
- Internet-facing servers (WSUS, SMB, SharePoint)
- Domain controllers and identity services
- User endpoints running Microsoft Office
- Remaining Windows infrastructure
Also, keep an eye on CISA’s Known Exploited Vulnerabilities list, as zero-days often show up there quickly.
Final Takeaway
January 2026 Patch Tuesday is high-risk and high-priority.
The mix of zero-days, Office RCEs, LSASS vulnerabilities, and privilege escalation bugs creates a clear path for real-world attacks.
If you manage Windows systems, apply these updates as soon as possible and reinforce phishing awareness while attackers test these new exploit paths.
For clear, practical cybersecurity updates you can trust, Follow CyberInfos for Patch Tuesday analysis, zero-day alerts, and real-world threat insights
