Microsoft released the January 2026 security updates, known as Patch Tuesday, correcting 114 flaws in various products. Entre is a zero-day vulnerability actively exploited by attackers, affecting Desktop Window Manager and Windows. The fixes cover critical operating system components, Office applications, and server services.
Updates were made available on January 13, 2026 for supported versions of Windows, including Windows 10, Windows 11, and server editions. Administradores of systems should prioritize immediate application of these patches to reduce exploitation risks. The presence of a flaw already used in real attacks increases the urgency of implementation.
Organizations of all sizes need to evaluate the impact of these fixes on their environments. Microsoft classified eight vulnerabilities as critical, with the potential for remote code execution in specific scenarios.
Zero-day failure on Desktop Window Manager
The vulnerability CVE-2026-20805 represents the main alert of this Patch Tuesday. Ela allows disclosure of sensitive information in the system’s memory through Desktop Window Manager, the component responsible for the graphical interface of Windows. Atacantes with local access and low privileges can exploit the flaw without user interaction.
This exploit facilitates chained attacks, combining data disclosure with other vulnerabilities to elevate privileges or steal information. Microsoft confirmed real-world use cases of this flaw before the fix. Especialistas recommend intensive monitoring of suspicious local activity until the patch is fully applied.
- Limit unnecessary local access to critical systems.
- Enforce least privilege policies on user accounts.
- Observe abnormal behaviors in DWM-related processes.
- Accelerate testing and deployment in corporate environments.
Critical vulnerabilities in Office and SharePoint products
Several serious flaws affect Office suites and collaborative platforms. Seis critical vulnerabilities allow remote code execution in products such as Excel, Word and SharePoint. Atacantes can exploit these holes through malicious files or server interactions.
SharePoint receives special attention due to histories of abuse by power groups. Duas failures in this component achieve a high score in the CVSS system. Successful exploitation compromises entire servers and exposes sensitive corporate data.
Another important fix affects the LSASS service, responsible for authentication on Windows. The CVE-2026-20854 flaw allows remote code execution with low complexity in certain scenarios. Administradores must prioritize servers exposed to the network for this update.
Secure Boot certificates with scheduled expiration
The updates include preventive measures for Secure Boot certificates issued in 2011. Microsoft incorporated new certificates into the January fixes to prevent future outages.
Systems without these updates are vulnerable to bypass protections during boot. Secure Boot prevents malicious code from loading at Windows startup. Empresas with large fleets of devices need to plan for broad application of these patches.
The Microsoft documentation provides detailed guides for deployment in enterprise environments. Administradores can check current certificate status using native system tools. Early preparation avoids massive operational problems in the second half of 2026.
Removal of legacy drivers and other fixes
Microsoft removed outdated Agere modem drivers present in Windows installations since older versions. Esses components, unsupported since 2016, contained elevation of privilege vulnerability now fixed by complete deletion. The action eliminates residual risks in legacy systems.
Other important flaws affect services such as Routing and Remote Access and Virtualization Based Security. A vulnerability in the VBS enclave allows elevation of privileges in virtualization-enabled environments. The fix reinforces isolation of sensitive processes.
Windows graphical components are also patched against elevation of privileges. Essas fixes prevent exploitation in local attack scenarios. The combination of multiple minor failures increases the overall risk on non-updated systems.
Deployment priorities for administrators
Administrators must launch the application from systems exposed to the internet, such as SharePoint and WSUS servers. Then focus on workstations with local administrative users. Testes in controlled environments prevent regressions in specific drivers.
- Accelerate patches for critical and exploited flaws.
- Reduce unnecessary local access to endpoints.
- Harden authentication paths on domain controllers.
- Monitor indicators of compromise related to DWM.
- Plan to update Secure Boot certificates on a large scale.
Rapid deployment mitigates risks of chained attacks that use the disclosed zero-day. Organizações with centralized management tools facilitate automatic distribution. Microsoft maintains a low exploit rating for most of the remaining flaws.
Additional details about risk classification
The CVSS system assigns varying scores to this month’s vulnerabilities. Oito reach a critical level, mainly due to the potential for remote execution without authentication. The remaining majority classify themselves as important, focusing on local elevation of privileges.
Faults in components such as NTLM and Remote Procedure Call receive preventive fixes. Esses services remain frequent targets in corporate environments. The cumulative update simplifies application on recent versions of Windows.
Environments with Windows Server require special attention to services such as SMB and Cloud Files Mini Filter. Correções in these components prevents exploitation on internal networks. The Microsoft continues the trend of robust releases at the beginning of the year.
Full application of these updates strengthens overall defenses of the Windows ecosystem. Empresas maintain secure operations by following the recommended patch schedule. The January 2026 Patch Tuesday lays a solid foundation for security throughout the year.
