Today’s Patch Tuesday Alert addresses Microsoft’s January 2026 Security Updates. The FIRE team is actively working on coverage for these vulnerabilities and expect to ship that coverage as soon as it is completed.
In-The-Wild & Disclosed CVEs
A vulnerability in the Desktop Windows Manager could lead to the disclosure of user-mode memory. Microsoft has reported this vulnerability as Exploitation Detected.
The original Windows Secure Boot certificates are expiring in 2026 and a failure to update them can impact Secure Boot functionality as well as compromise security by impacting security fixes related to Windows boot manager or Secure Boot. For more information on certificate expiration and CA updates, Microsoft released an article with additional details in June 2025. Microsoft has reported this vulnerability as Exploitation Less Likely.
This is a vulnerability impacting the Agere Soft Modem drivers that ship with Windows and could allow privilege escalation to SYSTEM. All supported versions of Windows are impacted, even if they don’t utilize the Agere Soft Modem. A detailed analysis of this vulnerability is available online. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Dynamic Root of Trust for Measurement (DRTM) | 1 | CVE-2026-20962 |
| Windows Secure Boot | 1 | CVE-2026-21265 |
| Windows Deployment Services | 1 | CVE-2026-0386 |
| SQL Server | 1 | CVE-2026-20803 |
| Windows Admin Center | 1 | CVE-2026-20965 |
| Windows Hello | 2 | CVE-2026-20804, CVE-2026-20852 |
| Desktop Window Manager | 2 | CVE-2026-20805, CVE-2026-20871 |
| Printer Association Object | 1 | CVE-2026-20808 |
| Windows Kernel Memory | 1 | CVE-2026-20809 |
| Windows Ancillary Function Driver for WinSock | 3 | CVE-2026-20810, CVE-2026-20831, CVE-2026-20860 |
| Windows Win32K - ICOMP | 4 | CVE-2026-20811, CVE-2026-20920, CVE-2026-20863, CVE-2026-20870 |
| Windows LDAP - Lightweight Directory Access Protocol | 1 | CVE-2026-20812 |
| Graphics Kernel | 2 | CVE-2026-20814, CVE-2026-20836 |
| Capability Access Management Service (camsvc) | 5 | CVE-2026-20815, CVE-2026-20835, CVE-2026-20851, CVE-2026-20830, CVE-2026-21221 |
| Windows Installer | 1 | CVE-2026-20816 |
| Windows Error Reporting | 1 | CVE-2026-20817 |
| Windows Kernel | 2 | CVE-2026-20818, CVE-2026-20838 |
| Windows Virtualization-Based Security (VBS) Enclave | 4 | CVE-2026-20819, CVE-2026-20876, CVE-2026-20938, CVE-2026-20935 |
| Windows Common Log File System Driver | 1 | CVE-2026-20820 |
| Windows Remote Procedure Call | 1 | CVE-2026-20821 |
| Microsoft Graphics Component | 1 | CVE-2026-20822 |
| Windows File Explorer | 4 | CVE-2026-20823, CVE-2026-20932, CVE-2026-20937, CVE-2026-20939 |
| Windows Remote Assistance | 1 | CVE-2026-20824 |
| Windows Hyper-V | 1 | CVE-2026-20825 |
| Tablet Windows User Interface (TWINUI) Subsystem | 2 | CVE-2026-20826, CVE-2026-20827 |
| Windows Internet Connection Sharing (ICS) | 1 | CVE-2026-20828 |
| Windows TPM | 1 | CVE-2026-20829 |
| Windows Remote Procedure Call Interface Definition Language (IDL) | 1 | CVE-2026-20832 |
| Windows Kerberos | 2 | CVE-2026-20833, CVE-2026-20849 |
| Windows Shell | 2 | CVE-2026-20834, CVE-2026-20847 |
| Windows Media | 1 | CVE-2026-20837 |
| Windows Client-Side Caching (CSC) Service | 1 | CVE-2026-20839 |
| Windows NTFS | 2 | CVE-2026-20840, CVE-2026-20922 |
| Windows DWM | 1 | CVE-2026-20842 |
| Windows Clipboard Server | 1 | CVE-2026-20844 |
| Agere Windows Modem Driver | 1 | CVE-2023-31096 |
| Windows Server Update Service | 1 | CVE-2026-20856 |
| Windows Cloud Files Mini Filter Driver | 2 | CVE-2026-20857, CVE-2026-20940 |
| Windows Management Services | 12 | CVE-2026-20858, CVE-2026-20865, CVE-2026-20877, CVE-2026-20918, CVE-2026-20923, CVE-2026-20924, CVE-2026-20861, CVE-2026-20862, CVE-2026-20866, CVE-2026-20867, CVE-2026-20873, CVE-2026-20874 |
| Windows Kernel-Mode Drivers | 1 | CVE-2026-20859 |
| Connected Devices Platform Service (Cdpsvc) | 1 | CVE-2026-20864 |
| Windows Local Session Manager (LSM) | 1 | CVE-2026-20869 |
| Windows Local Security Authority Subsystem Service (LSASS) | 2 | CVE-2026-20875, CVE-2026-20854 |
| Windows SMB Server | 6 | CVE-2026-20919, CVE-2026-20921, CVE-2026-20926, CVE-2026-20927, CVE-2026-20934, CVE-2026-20848 |
| Windows NTLM | 2 | CVE-2026-20925, CVE-2026-20872 |
| Microsoft Office | 3 | CVE-2026-20943, CVE-2026-20953, CVE-2026-20952 |
| Microsoft Office Word | 2 | CVE-2026-20944, CVE-2026-20948 |
| Microsoft Office Excel | 6 | CVE-2026-20946, CVE-2026-20955, CVE-2026-20956, CVE-2026-20949, CVE-2026-20950, CVE-2026-20957 |
| Microsoft Office SharePoint | 5 | CVE-2026-20951, CVE-2026-20959, CVE-2026-20963, CVE-2026-20947, CVE-2026-20958 |
| Azure Connected Machine Agent | 1 | CVE-2026-21224 |
| Windows Routing and Remote Access Service (RRAS) | 2 | CVE-2026-20843, CVE-2026-20868 |
| Windows WalletService | 1 | CVE-2026-20853 |
| Inbox COM Objects | 1 | CVE-2026-21219 |
| Windows Motorola Soft Modem Driver | 1 | CVE-2024-55414 |
| Windows HTTP.sys | 1 | CVE-2026-20929 |
| Windows Telephony Service | 1 | CVE-2026-20931 |
| Windows NDIS | 1 | CVE-2026-20936 |
| Host Process for Windows Tasks | 1 | CVE-2026-20941 |
| Microsoft Edge (Chromium-based) | 1 | CVE-2026-0628 |
| Mariner | 11 | CVE-2025-68759, CVE-2025-68763, CVE-2025-68758, CVE-2025-68756, CVE-2025-68764, CVE-2025-68755, CVE-2025-68765, CVE-2025-68753, CVE-2025-68766, CVE-2025-68757, CVE-2026-21444 |
| Azure Core shared client library for Python | 1 | CVE-2026-21226 |
Other Information
At the time of publication, there were no new advisories included with the January Security Guidance.
