Eight critical vulnerabilities and an actively exploited zero day highlight Microsoft’s first Patch Tuesday announcements for 2026.
Most of the higher scoring vulnerabilities impact Office products, with two holes in SharePoint scoring an 8.8 on the CVSS scale.
“Last year’s abuse of SharePoint by Chinese APTs to deploy ToolShell against organizations should serve as a warning that SharePoint- and Office-related vulnerabilities can quickly become popular with threat actors,” noted Nick Carroll, cyber incident response manager at Nightwing.
The other vulnerability that scored a CVSS rating of 8.8 is CVE-2026-20868 for the Windows Routing and Remote Access Service. This is a heap-based buffer overflow that allows an unauthorized attacker to execute code over a network. There’s also a patch for a lower-scoring hole in this service (CVE-2026-20843) that allows an elevation of privilege.
Desktop Windows Manager
Arguably, the vulnerability that should draw the attention of CSOs is CVE-2026-20805, because it’s already being exploited. No public proof-of-concept code has been disclosed. It is a hole in Desktop Windows Manager (DWM) that allows a locally authenticated attacker to view information in memory to help them weaken system protections, and from that go deeper into IT systems that rely on DWM.
Exploitation requires local access with low privileges and no user interaction, note researchers at Action1, making it feasible for attackers already present on a system.
For organizations, this vulnerability increases the risk of successful multi-stage attacks, said Jack Bicer, director of vulnerability research at Action1. Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or allow data theft, potentially leading to broader system compromise, regulatory exposure, and loss of trust.
If the patch can’t be applied immediately, he said, admins should limit local access, enforce least-privilege policies, and closely monitor systems for suspicious local activity.
“From a risk perspective, this issue materially increases the success rate of follow on exploits,” warned Bicer, “and should be viewed as an attack enabler rather than a standalone flaw.”
Satnam Narang, senior staff research engineer at Tenable, called DWM a “frequent flyer” on Patch Tuesday, with 20 CVEs patched in this library since 2022. But, he added, this is the first time researchers have seen an information disclosure bug in this component exploited in the wild.
More priorities
Executives should also prioritize rapid patching and risk reduction efforts this month around the Windows Local Security Authority Subsystem Service Remote Code Execution, Windows Graphics Component Elevation of Privilege, and Windows Virtualization Based Security Enclave Elevation of Privilege flaws, Bicer said, as these vulnerabilities directly enable full system or trust boundary compromise.
Strategic focus should include accelerating patch deployment for critical and important flaws, reducing unnecessary local access, hardening authentication paths, and closely monitoring for abnormal privilege escalation behavior, Bicer said.
“The Desktop Window Manager Information Disclosure should be addressed in parallel due to confirmed exploitation and its role in enabling chained attacks,” he added.
Secure Boot certificates
Security experts also drew attention to Microsoft’s warning that certain Secure Boot certificates issued in 2011 will expire in June or October unless updates included in the January patches are installed. Details are included in CVE-2026-21265. Secure Boot prevents malicious code from loading during the Windows startup process; systems not updated in time may become vulnerable to Secure Boot bypasses.
Chris Goettl, vice-president of product management at Ivanti, called this “a ticking time bomb for enterprise security that IT teams need to act on now before facing serious operational issues.”
Additionally, Tyler Reguly, associate director of security R&D at Fortra, noted that the Microsoft documentation of fixes for the expiring certificates isn’t a single page, but contains a multitude of links – including an entire deployment playbook for IT professionals. “With less than half a year to prepare, it is time to ensure that environments and teams are prepared for this update,” he said.
More likely for exploit
Reguly also said one of the more interesting updates this month is a fix for a Windows Agere Soft Modem Driver elevation of privilege (CVE-2023-31096) issue. “It is not often that you see a CVE from three years ago show up, but Microsoft is finally cleaning up a problem that has been around for a while,” he said. This driver ships with Microsoft Windows, but according to a post about this vulnerability, the driver has been end of life since 2016. The solution to this vulnerability is simply to remove the impacted drivers, agrsm64.sys and agrsm.sys, from systems.
Nick Carroll of Nightwing says security leaders should pay attention to patching vulnerabilities that Microsoft says are more likely to be exploited. These are:
an improper handling of permissions in Windows Error Reporting (CVE-2026-20817) that could allow an authorized attacker to elevate privileges locally;
a buffer overflow in Windows Common Log File System Driver (CVE-2026-20820) that could lead to an authorized attacker to elevate privileges locally;
a buffer overflow that could lead to remote code attacks in Windows NTFS (CVE-2026-20840).
This is one of two NTFS issues flagged this month, noted Kev Breen, senior director of cyber threat research at Immersive. If technical details are made public, this could become an n-day vulnerability, he warned, creating a narrow window in which IT can apply patches before exploitation becomes widespread;
an issue with Windows Ancillary Function Driver for WinSock that can let an authorized attacker elevate privileges locally (CVE-2026-20860);
an elevation of privilege issue in Desktop Windows Manager (CVE-2026-20871);
a remote code execution vulnerability in Windows NTFS (CVE-2026-20922).
SAP updates
Separately, SAP released 19 new or updated security patches, including six HotNews Notes and four High Priority Notes. One of the most important is a critical SQL injection vulnerability in S/4HANA Private Cloud and On-Premise (Financials – General Ledger), tagged with a CVSS score of 9.9. Exploitation can lead to full system compromise by low-privileged users. In addition, a code injection vulnerability, with a CVSS score of 9.1, was patched in S/4HANA Private Cloud and On-Premise.
Oracle and Mozilla
Researchers at Ivanti note that Mozilla released a trio of updates for Firefox and Firefox ESR resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two of the CVEs are suspected to have been exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Finally, researchers at Nightwing note that Oracle admins should be ready for the first of the company’s four major patch days a year, which this year falls on Tuesday January 20. There should be a pre-release announcement on January 15 that will help organizations prepare for what’s coming.
No Responses