~/home/news/january-2026-patch-tuesday-114-2026-01-21
newsWednesday, January 21, 20268 min read👁 17 views

January 2026 Patch Tuesday: 114 CVEs Fixed, 3 Zero-Days Actively Exploited

Microsoft’s January 2026 Patch Tuesday delivered fixes for 114 vulnerabilities-including three zero-day flaws under active exploitation. CrowdStrike breaks down the technical details, impact, and mitigation steps for Windows, Office, Azure, Edge, and related services.

Patch TuesdayMicrosoft VulnerabilitiesZero-DayEnterprise Security

Overview

On January 13, 2026 Microsoft released its monthly security update bundle, addressing a staggering 114 CVEs. Among these, three are zero-day vulnerabilities that are already being weaponised in the wild. CrowdStrike’s analysis highlights the most dangerous flaws-particularly CVE-2026-20805 in the Windows Desktop Window Manager (DWM)-and provides a clear prioritisation roadmap for enterprises that rely on Windows, Office, Azure, Edge, and the broader Microsoft ecosystem.

Technical Details

The update spans a broad attack surface: kernel components, user-mode services, Office document parsers, Azure service agents, and the Edge rendering engine. Below are the three zero-day exploits that demand immediate attention.

CVE-2026-20805 - Windows Desktop Window Manager (DWM) Information Disclosure

  • Severity: Medium (CVSS 5.5)
  • Vector: Remote ALPC (Advanced Local Procedure Call) port that leaks kernel memory addresses.
  • Exploitation: Threat actors can trigger the leak after obtaining a foothold on the system. The disclosed addresses defeat Address Space Layout Randomisation (ASLR), enabling chained exploits that lead to privilege escalation or remote code execution.
  • Active Exploitation: Confirmed in the wild; added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-20952 & CVE-2026-20953 - Microsoft Office Remote Code Execution

  • Severity: Critical (CVSS 8.4 each).
  • Vector: Malicious Office documents (DOCX, XLSX, PPTX) crafted to exploit a memory-corruption bug in the Office rendering pipeline.
  • Exploitation: No user interaction required beyond opening the document. The flaw bypasses the Protected View sandboxes and runs native code with the privileges of the logged-in user.
  • Impact: Allows attackers to deploy ransomware, steal credentials, or establish persistent back-doors.

CVE-2026-20868 - RRAS (Routing and Remote Access Service) Remote Code Execution

  • Severity: High (CVSS 7.8).
  • Vector: Authenticated network attacker who can induce a client to connect to a malicious RRAS server.
  • Exploitation: Triggers a heap overflow in the RRAS service, resulting in arbitrary code execution with SYSTEM privileges.
  • Notes: While authentication is required, the attack surface is large in environments that expose RRAS for VPN or DirectAccess.

Other Noteworthy Fixes

  • CVE-2026-21265 - Secure Boot certificate expiration bypass (CVSS 6.4). A playbook is provided to rotate certificates before the June 2026 deadline.
  • CVE-2026-20840 and CVE-2026-20922 - NTFS remote code execution (buffer overflows) affecting file-share servers.
  • Multiple Azure-related privilege-escalation bugs in Azure AD Connect and Azure Virtual Desktop agents.

Impact Analysis

The affected asset profile is broad:

  • Operating Systems: Windows 10, Windows 11, Windows Server 2016-2022.
  • Product Suites: Microsoft Office 2016-2021, Office 365 web apps, and Microsoft 365 services.
  • Cloud Services: Azure AD, Azure Virtual Desktop, Azure Stack, and related management agents.
  • Browsers: Microsoft Edge (Chromium-based) - several CVEs address sandbox escape and memory-corruption bugs.

Given the active exploitation of CVE-2026-20805 and the high-severity Office flaws, the risk to enterprises is “critical”. An attacker who can leverage the DWM leak can pivot to other unpatched vulnerabilities, culminating in full system compromise. Ransomware groups are already integrating the Office RCE chain into their initial-access toolkits.

Timeline of Events

  • Early January 2026: Security researchers at CrowdStrike and Expel report active exploitation of a DWM memory-leak.
  • January 8, 2026: Microsoft acknowledges a “high-severity” vulnerability in the DWM component (internal advisory).
  • January 13, 2026: Official Patch Tuesday release - 114 CVEs, including the three zero-days.
  • January 14, 2026: CISA adds CVE-2026-20805 to the KEV catalog; multiple threat-intel feeds publish IOCs.
  • January 16, 2026: CrowdStrike publishes the full analysis; organizations begin rolling out patches.

Mitigation / Recommendations

Enterprises should adopt a layered approach:

  1. Patch Immediately: Deploy the January 2026 cumulative updates via Windows Server Update Services (WSUS), Microsoft Endpoint Manager, or Patch My PC. Prioritise the three zero-days.
  2. Validate Patch Deployment: Use configuration-management tools (e.g., SCCM, Intune) to confirm patch status across all endpoints, including legacy Windows 7/8.1 systems that may still be in use.
  3. Network Segmentation: Isolate RRAS servers and VPN gateways from the corporate LAN. Apply strict firewall rules to block unauthenticated inbound connections.
  4. Exploit-Mitigation Controls: Enable DEP, CFG, and Control Flow Guard on all Windows hosts. Deploy Microsoft Defender for Endpoint’s exploit-guard rules that specifically block ALPC-based memory leaks.
  5. Secure Boot Certificate Rotation: Follow Microsoft’s Secure Boot playbook to replace expiring certificates before the June 2026 deadline.
  6. Office Hardening: Enforce Protected View, disable macros by default, and enable Attack Surface Reduction (ASR) rules 7 (Block Office applications from creating child processes) and 14 (Block Win32 APIs from Office macros).
  7. Azure Guardrails: Review Azure AD Conditional Access policies, enforce MFA for privileged accounts, and apply the latest Azure Security Center recommendations for the patched agents.
  8. Threat Hunting: Leverage CrowdStrike Falcon’s detection modules for DWM-ALPC leaks, Office RCE payload signatures, and RRAS heap-overflow patterns. Search for IOC indicators such as suspicious ALPC port usage (e.g., “\Device\NamedPipe\DwmLeak”).

Real-World Impact

Large enterprises that postpone patching risk cascading breaches. A typical attack chain could look like:

  1. Phishing email delivers a malicious Office document (CVE-2026-20952/20953).
  2. Document executes shellcode that establishes a low-privilege foothold.
  3. Attacker leverages the DWM memory leak (CVE-2026-20805) to bypass ASLR and elevate to SYSTEM.
  4. Using the elevated token, the actor moves laterally, compromising Azure AD Connect and exfiltrating credentials.

Industries with high-value data-financial services, healthcare, and critical infrastructure-are already seeing increased chatter about “DWM-Leak” IOCs in underground forums. Early adopters of the patches report no post-deployment regressions, confirming Microsoft’s extensive regression testing.

Expert Opinion

From a strategic standpoint, the January 2026 bundle marks a shift in Microsoft’s vulnerability-management cadence. The presence of three zero-days-two of which are actively exploited-signals that threat actors are increasingly targeting the “soft underbelly” of the OS: legacy inter-process communication mechanisms and document-parsing libraries that have historically received less scrutiny.

Enterprises must move beyond a “patch-when-available” mindset. The combination of a low-CVSS yet actively exploited flaw (CVE-2026-20805) and high-CVSS Office bugs demonstrates that CVSS alone is no longer a reliable triage metric. Contextual risk scoring-factoring in active exploitation, asset criticality, and lateral-movement potential-should drive patch-priority decisions.

Finally, the rapid coordination between Microsoft, CISA, and the security-research community (CrowdStrike, Expel, Rapid7) exemplifies the collaborative defence model needed to contain zero-day threats. Organizations that embed this model-through shared threat-intel feeds, automated IOCs ingestion, and cross-team incident response drills-will be better positioned to neutralise the next wave of Microsoft-focused attacks.