microsoft Today, we issued patches that close at least 113 various security holes. window Operating system and supported software. Eight of the vulnerabilities have received Microsoft’s strictest “critical” rating, and the company has warned that one of the bugs fixed today is already being exploited by attackers.

Microsoft zero-day flaws in January — CVE-2026-20805 — brought about by the defects of. desktop window manager (DWM), the main component of Windows that organizes windows on the user’s screen. Kev BreenSenior Director of Cyber ​​Threat Research immersiveDespite giving CVE-2026-20805 a moderate CVSS score of 5.5, Microsoft says it has confirmed that the vulnerability is being actively exploited in the wild, indicating that threat actors are already exploiting this flaw against organizations.

Breen said this type of vulnerability is typically used to weaken vulnerabilities. Randomizing address space layout (ASLR) is a core operating system security control designed to protect against buffer overflows and other memory manipulation exploits.

“By revealing where the code resides in memory, this vulnerability can chain with other code execution flaws, turning a complex and unreliable exploit into a viable, repeatable attack,” Breen said. “Microsoft does not disclose what additional components may be involved in such exploit chains, significantly limiting defenders’ ability to proactively threat hunt related activity. As a result, rapid patching remains the only effective mitigation at this time.”

Chris GettleVice President of Product Management Ivantihas confirmed that CVE-2026-20805 affects all currently supported versions and versions of the Windows OS supported by Extended Security Updates. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “important” rating and relatively low CVSS score.

“A risk-based prioritization methodology justifies treating this vulnerability as a higher severity than the vendor rating or assigned CVSS score,” he said.

There are two critical flaws patched this month. microsoft office Remote code execution bug (CVE-2026-20952 and CVE-2026-20953) can be triggered simply by viewing the booby-trapped message in the preview pane.

October 2025 Patch Tuesday “The End of 10” Summary Microsoft removed the modem driver from all versions after it was discovered that hackers were exploiting vulnerabilities in the modem driver to break into systems, the company noted. adam burnett in rapid 7 Microsoft said today that it has removed two more modem drivers from Windows for much the same reasons. Microsoft is aware of functional exploit code that exploits an elevation of privilege vulnerability in very similar modem drivers and is tracked as follows: CVE-2023-31096.

“This is not a typo; this vulnerability was originally published via MITER over two years ago, with an authoritative publication by the original researchers,” Barnett said. “Today’s Windows patch removes agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party and have been included in Windows for decades. The removal of these drivers is imperceptible to most people, but active modems may still be found in some situations, such as in some industrial control systems.”

According to Barnett, two questions remain. One is, how many more legacy modem drivers are still present in a fully patched Windows estate? And how many more vulnerabilities will be promoted from those vulnerabilities to SYSTEM before Microsoft shuts down the attackers enjoying their “life on earth”?[line] By exploiting a whole class of dusty old device drivers? ”

“While Microsoft has not claimed evidence of exploits for CVE-2023-31096, the associated 2023 post and 2025 removal of other Agere modem drivers provided two strong signals for anyone looking for Windows exploits during that time,” Barnett said. “Just to be clear, you don’t need to have a modem connected; just the presence of the driver is enough to make your assets vulnerable.”

Immersive, Ivanti and Rapid7 all issued a warning CVE-2026-21265This is a critical security feature bypass vulnerability that affects Windows Secure Boot. This security feature is designed to protect against threats such as rootkits and bootkits, and relies on a set of certificates set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices without new 2023 certificates will no longer be able to receive Secure Boot security fixes.

Barnett cautioned that when updating the bootloader and BIOS, it’s important to be well prepared for the specific OS and BIOS combination you’re working with. This is because incorrect repair steps can make your system unbootable.

“Fifteen years is certainly a very long time in information security, but the Microsoft root certificate, which has signed essentially everything in the secure boot ecosystem since the days of Stuxnet, is expiring,” Barnett said. “Microsoft issued a replacement certificate in 2023 in parallel with CVE-2023-24932 covering related Windows patches and subsequent steps to remediate the secure boot bypass exploited by the BlackLotus boot kit.”

Gettle pointed out that: Mozilla We have released an update for Firefox and Firefox ESR A total of 34 vulnerabilities have been resolved, two of which are suspected of being exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

“Expect Google Chrome and microsoft edge This week’s update comes in addition to a high-severity vulnerability in Chrome WebView that was resolved in the January 6th Chrome update (CVE-2026-0628). ” said Goettl.

As before, SANS Internet Storm Center A breakdown is provided for each patch by severity and urgency. Windows administrators beware askwoody.com For news about patches that don’t fit everything well. If you have any issues related to installing the January patch, please let us know in the comments section below.