Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
微软在2026年1月的补丁更新中修复了113个CVE漏洞，其中8个为关键级别、105个为重要级别，并包含两个零日漏洞。此次更新涉及Azure、Office、Windows等多个组件的安全修复。 2026-1-13 18:37:32 Author: www.tenable.com(查看原文) 阅读量:1 收藏

January 13, 2026

5 Min Read

A graphic from Tenable Research Special Operations regarding the January 2026 Microsoft Patch Tuesday. It features a yellow hexagon icon with crossed band-aids above the text "Microsoft Patch Tuesday" and "Zero Day Vulnerabilities," all framed by a colorful striped border.

8Critical
105Important
0Moderate
0Low

Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.

Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096.

A pie chart showing the severity distribution across the Patch Tuesday CVEs patched in January 2026

This month’s update includes patches for:

Azure Connected Machine Agent
Azure Core shared client library for Python
Capability Access Management Service (camsvc)
Connected Devices Platform Service (Cdpsvc)
Desktop Window Manager
Dynamic Root of Trust for Measurement (DRTM)
Graphics Kernel
Host Process for Windows Tasks
Inbox COM Objects
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Printer Association Object
SQL Server
Tablet Windows User Interface (TWINUI) Subsystem
Windows Admin Center
Windows Ancillary Function Driver for WinSock
Windows Client-Side Caching (CSC) Service
Windows Clipboard Server
Windows Cloud Files Mini Filter Driver
Windows Common Log File System Driver
Windows DWM
Windows Deployment Services
Windows Error Reporting
Windows File Explorer
Windows HTTP.sys
Windows Hello
Windows Hyper-V
Windows Installer
Windows Internet Connection Sharing (ICS)
Windows Kerberos
Windows Kernel
Windows Kernel Memory
Windows Kernel-Mode Drivers
Windows LDAP - Lightweight Directory Access Protocol
Windows Local Security Authority Subsystem Service (LSASS)
Windows Local Session Manager (LSM)
Windows Management Services
Windows Media
Windows NDIS
Windows NTFS
Windows NTLM
Windows Remote Assistance
Windows Remote Procedure Call
Windows Remote Procedure Call Interface Definition Language (IDL)
Windows Routing and Remote Access Service (RRAS)
Windows SMB Server
Windows Secure Boot
Windows Server Update Service
Windows Shell
Windows TPM
Windows Telephony Service
Windows Virtualization-Based Security (VBS) Enclave
Windows WalletService
Windows Win32K - ICOMP

A bar chart showing the count by impact of CVEs patched in the January 2026 Patch Tuesday release

Elevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%.

CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability

CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.

Additionally, Microsoft patched another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an EoP vulnerability that was assigned a CVSSv3 score of 7.8 and was rated as important. Contrary to CVE-2026-20805, CVE-2026-20871 was not exploited in the wild, although it was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability

CVE-2026-21265 is a security feature bypass in the Windows Secure Boot. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”

Microsoft certificates are stored in the Unified Extensible Firmware Interface (UEFI) Key Enrollment Key (also known as Key Exchange or KEK) and DB. These certificates are reaching their expiration date, so these certificates need to be updated to ensure Secure Boot functionality remains and to prevent future issues from arising. The following are the certificates set to expire in 2026:

Certificate Authority (CA)	Expiration Date	Purpose	Location
Microsoft Corporation KEK CA 2011	June 24, 2026	Signs updates to the DB and DBX	KEK
Microsoft Corporation UEFI CA 2011	June 27, 2026	Signs third party boot loaders, Option ROMs and more	DB
Microsoft Windows Production PCA 2011	October 19, 2026	Signs the Windows Boot Manager	DB

This vulnerability is considered “Publicly Disclosed” because the information about the expiration and the location of these certificates are public.

CVE-2026-20952 and CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability

CVE-2026-20952 and CVE-2026-20953 are RCE vulnerabilities affecting Microsoft Office. Each of these vulnerabilities were assigned a CVSSv3 score of 8.4, rated as critical and assessed as "Exploitation Less Likely.” An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.

Despite being flagged as “Exploitation Less Likely,” Microsoft notes that the Preview Pane is an attack vector for both vulnerabilities, which means exploitation does not require the target to open the file.

CVE-2026-20840 and CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability

CVE-2026-20840 and CVE-2026-20922 are RCE vulnerabilities affecting Windows New Technology File System (NTFS). Both were assigned CVSSv3 scores of 7.8 and are rated as important. Microsoft assessed both of these flaws as “Exploitation More Likely.” According to Microsoft, both these flaws stem from heap-based buffer overflows which can be exploited to execute arbitrary code on an affected system. Both advisories also note that any authenticated attacker can exploit these flaws, regardless of privilege level.

Tenable Solutions

A list of all the plugins released for Microsoft’s January 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Research Special Operations

The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.

Exposure Management
Vulnerability Management

文章来源: https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805
如有侵权请联系:admin#unsafe.sh