Microsoft Patches Windows Zero-Day Amid Active Attacks

Microsoft released security updates on January 13, 2026, as part of its monthly Patch Tuesday cycle. The updates fix 114 vulnerabilities in Windows and related products, including one zero-day flaw in the Desktop Window Manager that attackers have already exploited in the wild. The US Cybersecurity and Infrastructure Security Agency added the flaw to its list of known exploited vulnerabilities right after the announcement.

Background

Patch Tuesday is when Microsoft puts out fixes for security holes in its software every second Tuesday of the month. This time, the company started 2026 with a large batch of patches, more than double the 57 it fixed in December 2025. The updates cover Windows, Office apps, Azure, and other parts of the Microsoft ecosystem.

The main worry is a zero-day vulnerability, labeled CVE-2026-20805. Zero-day means the flaw was known and used by attackers before Microsoft had a fix ready. This one sits in the Desktop Window Manager, a core part of Windows that handles how windows look and move on screen. Attackers with basic access to a computer can use it to pull sensitive data from the system's memory without the user doing anything.

Microsoft's own threat hunters found the problem. They say it lets someone read memory addresses linked to a remote port used for communication inside Windows. That data might seem small, but it can help attackers break through defenses and dig deeper into a system.

This is not the only zero-day fixed this month. Microsoft patched two more that were public knowledge but lacked fixes: CVE-2026-21265 in Windows digital media parts and CVE-2023-31096, a legacy issue now updated in newer systems. In total, the patches hit 112 Microsoft issues and three from other vendors.

Key Details

The updates tackle a range of problems, from places where attackers could run their own code to spots where they could gain higher access on a machine.

The Exploited Zero-Day

CVE-2026-20805 has a score of 5.5 out of 10 on the standard severity scale, which Microsoft calls 'important.' It needs low-level access on the machine, like a standard user account. Once exploited, it reveals user-mode memory from an ALPC port, which handles talks between apps and the system.

"Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally." – Microsoft Security Advisory

Experts say this kind of leak often starts bigger attacks. It weakens protections and lets foes chain it with other flaws to take full control.

High-Risk Privilege Escalation Flaws

Microsoft marked eight vulnerabilities as 'exploitation more likely.' These are mostly elevation of privilege bugs, where low-level users can jump to system admin rights.

• CVE-2026-20816 in Windows Installer: A race condition lets locals gain SYSTEM privileges. Found by a researcher at DCIT.
• CVE-2026-20817 in Windows Error Reporting: Bad handling of permissions allows privilege jumps. Spotted by GMO Cybersecurity.

Over 50 such flaws appear this month, many in kernel drivers, SMB Server, and Win32k. These are common paths for malware like ransomware.

Critical Remote Code Execution Issues

Twelve critical flaws let attackers run code from afar. Key ones include:

• CVE-2026-20854 in LSASS, the Local Security Authority service.
• Holes in SharePoint scoring 8.8, hitting Office products hard.
• LDAP tampering in CVE-2026-20812.

Other notes: Secure Boot certificates from 2011 expire soon unless patched—June or October 2026. An old driver, agrsm64.sys, needs removal as it's unsupported since 2016.

Vendors like Adobe, Fortinet, SAP, and ServiceNow also released fixes this week.

What This Means

For home users, apply updates right away through Windows Update. The zero-day needs priority because CISA set a deadline of February 3, 2026, for federal systems, but everyone should act fast.

Companies face higher risks. Many flaws need local access first, but once inside, attackers can spread. Info leaks like CVE-2026-20805 help bypass antivirus and encryption. Privilege jumps open doors to full takeovers, data theft, or ransomware locks.

Rotation of passwords and keys on key accounts makes sense if you suspect exposure. Remove old drivers and check Secure Boot status to avoid boot issues later.

This Patch Tuesday shows attackers waste no time in the new year. The jump from 57 to 114 flaws means more work for IT teams. Regular patching stays the best defense, as these holes hit everyday parts of Windows used by millions.