Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws. In all, the Patch Tuesday January 2026 update includes fixes for 112 Microsoft CVEs and three non-Microsoft CVEs, doubling December’s 57 vulnerabilities. The actively exploited zero day is CVE-2026-20805, a 5.5-rated Information Disclosure vulnerability affecting Desktop Window Manager (DWM). The vulnerability find is credited to Microsoft’s own Threat Intelligence Center and Security Response Center (MSRC). Microsoft says of the vulnerability, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after Microsoft’s announcement. Other vendors issuing updates this week include Fortinet, SAP, ServiceNow, and Adobe, among others.

Patch Tuesday January 2026 High-Risk Vulnerabilities

Microsoft judged eight vulnerabilities as “exploitation more likely.” They include: CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find. CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges. CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally. CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally. CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.

Highest-Rated Vulnerabilities in the Patch Tuesday Update

The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include:

• CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
• CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
• CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability

 

Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability