Microsoft's first Patch Tuesday of 2026 brings a bumper list of 112 CVEs, including its first zero day patch this year, CVE-2026-20805, eight Office bugs, and a reminder of incoming Secure Boot certificate expirations.
The exploited information disclosure vulnerability affects the Desktop Windows Manager, with attackers able to leak a user memory address from a remote ALPC port. It has a CVSS 5.5 rating and was added to CISA's KEV catalogue soon after disclosure.
Immersive's Senior Director of Cyber Threat Research Kev Breen said such a leak is ripe for use in a chained attack but a lack of information on potential other components that could be used in a chain means patching is the only mitigation.
He said this type of vulnerability "is often used to defeat Address Space Layout Randomization (ASLR) - a security feature in modern operating systems designed to protect against buffer overflows and other exploits that rely on manipulating the memory of a running application.
"Once they know where code resides in memory, [attackers] can chain this with a separate code execution bug to turn a difficult exploit into a reliable one."
Microsoft Office at high risk
While none of the 112 bugs are rated as critical, some of the more severe vulnerabilities on the list affect Microsoft Office products, ensuring their impact could be widespread.
This includes the 8.8 rated CVE-2026-20947 and CVE-2026-20963, both described as remote code execution vulnerabilities in SharePoint that do not require elevated or admin privileges.
Jack Bicer, director of vulnerability research at Action1 said two other Office-based RCEs are of concern, CVE-2026-20952 and CVE-2026-20953. He said both could lead to "complete system takeover, data breaches, credential theft, ransomware deployment, and rapid lateral movement across networks."
CVE-2026-20953 in particular, an exploit of use after free, was attractive to attackers due to "low attack complexity and multiple viable exploitation methods", he said. It requires users to click a link or, in worst-case scenarios, just receive an email that allows for remote code execution.
In all, January's Patch Tuesday includes 16 vulnerabilities affecting Office.
Boot certificates
Also at the higher end of importance, the list features eight bugs rated by Redmond as "exploitation more likely", all given a CVSS score of 7.8. They include
CVE-2026-20816, an elevation of privilege vulnerability in Windows Installer exploiting the time-of-check time-of-use race condition.
Patch Tuesday also brought an opportunity for Microsoft to remind customers that its Secure Boot certificates, used to counter pre-boot malware since Windows 8, are reaching their expiry dates in June and October 2026and must be updated .
Assigning the issue CVE-2026-21265 after first flagging it in June 2025, it said the OS's certificate update protection mechanism uses firmware that may contain defects leading trust updates to fail or "behave unpredictably."
The guidance said: "This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees."
The link has been copied!
