Microsoft Issues Critical Security Updates for 113 Vulnerabilities, Including Actively Exploited Zero-Day

In a massive security sweep, Microsoft has released urgent patches to fix 113 vulnerabilities across its Windows operating systems and supported software. Among these, eight flaws have been classified as “Critical,” and one is already being actively exploited in the wild, making this month’s Patch Tuesday one of the most significant in recent memory.

The Zero-Day Threat: CVE-2026-20805

At the heart of this month’s security storm is CVE-2026-20805, a zero-day vulnerability in the Desktop Window Manager (DWM), a fundamental component of Windows responsible for organizing and rendering windows on your screen. Despite receiving a modest CVSS score of 5.5, Microsoft has confirmed that attackers are actively exploiting this flaw against organizations worldwide.

Kev Breen, Senior Director of Cyber Threat Research at Immersive, explains the gravity of the situation: “This vulnerability is commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits. By revealing where code resides in memory, attackers can chain this with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack.”

The concerning aspect? Microsoft hasn’t disclosed which additional components might be involved in such an exploit chain, significantly limiting defenders’ ability to proactively hunt for related activity. As Breen puts it: “Rapid patching currently remains the only effective mitigation.”

Critical Office Vulnerabilities: Preview Pane Dangers

Adding to the urgency are two critical Microsoft Office remote code execution bugs: CVE-2026-20952 and CVE-2026-20953. These vulnerabilities can be triggered simply by viewing a malicious message in the Preview Pane—no additional user interaction required. This means that opening an infected email or document could be enough to compromise your system entirely.

The Legacy Modem Driver Nightmare

In a move that highlights the persistence of legacy vulnerabilities, Microsoft has removed two modem drivers from Windows: agrsm64.sys and agrsm.sys. This action comes after the discovery of an elevation of privilege vulnerability in a similar driver, CVE-2023-31096, which was originally published over two years ago.

Adam Barnett from Rapid7 points out the alarming timeline: “That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today’s Windows patches remove these drivers. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades.”

The implications are staggering. Barnett raises two critical questions: How many more legacy modem drivers are still present on fully-patched Windows assets? And how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft fully cuts off attackers who have been “living off the land[line] by exploiting an entire class of dusty old device drivers?”

Perhaps most concerning is that “there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”

Secure Boot Under Threat: CVE-2026-21265

Another critical vulnerability demanding immediate attention is CVE-2026-21265, a Security Feature Bypass affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Adam Barnett warns: “Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet. Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”

The urgency is compounded by the fact that once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes. This creates a ticking time bomb scenario for organizations that haven’t updated their systems.

Browser Vulnerabilities: Firefox and Chrome Updates

The security landscape extends beyond Windows. Mozilla has released updates for Firefox and Firefox ESR, resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01), with CVE-2026-0891 also addressed in Firefox ESR 140.7 (MFSA2026-03).

Meanwhile, Google Chrome and Microsoft Edge are expected to release their own critical updates this week. Of particular concern is a high-severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628).

The Scope and Scale of the Problem

Chris Goettl, Vice President of Product Management at Ivanti, emphasizes that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. He cautions against dismissing the severity of this flaw based on its “Important” rating and relatively low CVSS score: “A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.”

What This Means for You

For Windows administrators and security professionals, this Patch Tuesday represents a critical moment. The combination of actively exploited zero-days, legacy driver vulnerabilities, and expiring security certificates creates a perfect storm of security challenges.

The SANS Internet Storm Center provides a detailed per-patch breakdown by severity and urgency, while askwoody.com offers crucial information about patches that might not play nice with everything. For those experiencing issues with installing January’s patches, community feedback and troubleshooting are essential.

Tags

Microsoft security updates, Windows vulnerabilities, zero-day exploit, CVE-2026-20805, Desktop Window Manager, Address Space Layout Randomization, Microsoft Office vulnerabilities, modem driver vulnerabilities, Secure Boot bypass, Firefox security updates, Chrome WebView vulnerability, Patch Tuesday, cyber security threats, active exploitation, legacy driver vulnerabilities, certificate expiration, BlackLotus bootkit, risk-based prioritization, system hardening, threat hunting

Viral Sentences

“Microsoft just dropped 113 patches—and hackers are already exploiting one of them!”
“The zero-day that’s already being used against organizations worldwide”
“Your Windows Preview Pane could be your biggest security risk right now”
“Microsoft removes drivers that have been in Windows for decades—why now?”
“The clock is ticking on Windows Secure Boot certificates”
“Legacy modem drivers: the dusty old vulnerabilities still haunting Windows”
“When a CVSS score of 5.5 means ‘patch immediately'”
“Firefox fixes 34 vulnerabilities—two suspected to be under active attack”
“Chrome WebView vulnerability: the hidden danger in Android apps”
“January 2026: The Patch Tuesday that could break your system if you’re not careful”

,