In its first Patch Tuesday of 2026, on January 13, Microsoft did something you rarely see: instead of patching a vulnerable driver, it pulled it out of Windows altogether. The component is the third-party Agere Soft Modem driver, affected by CVE-2023-31096, a local elevation-of-privilege flaw that had been shipping for years alongside supported versions of the operating system.
What the vulnerability is
CVE-2023-31096 is an elevation-of-privilege vulnerability in the kernel-mode driver of the Agere/LSI/Broadcom soft modem, present in the AGRSM64.sys binary up to version 2.2.100.1. It comes down to an IOCTL handler that mishandles memory: a stack overflow through an RTLCopyMemory-style copy that skips proper validation.
Since the driver runs in the kernel, an attacker who can already run code with standard user privileges (medium integrity) gets a lever to escalate to SYSTEM, the highest privilege level in Windows. That turns limited access into full control of the machine: installing software, tampering with security services, or planting persistence.
Who is affected
The driver shipped inside supported Windows images, so the vulnerable component could be sitting on machines that haven’t touched an analog modem in years. In practice, the risk lands on Windows systems with the Agere drivers installed and, more visibly, on devices that still rely on analog modems, fax modems, or soft-modem adapters built on Agere/LSI/Broadcom chipsets.
Severity
This one is rated high. Two things push it there: the flaw had already been exploited to gain administrative privileges, and public proof-of-concepts existed for this driver family. Exploitation does need prior local access, but escalation to SYSTEM is one of the most reused links in an attack chain once the attacker is already in.
Mitigation and patch
Microsoft chose to remove the vulnerable driver from Windows in the January 2026 Patch Tuesday rather than bolt a brittle patch onto abandoned third-party code. According to vendor documentation, the cumulative update removed the agrsm64.sys and agrsm.sys binaries, along with related serial components such as smserl64.sys and smserial.sys.
Pulling the driver wipes out the attack surface right away, but it comes with a bill: devices that depended on these drivers will stop working. The sensible steps are:
- Apply the January 2026 update on systems that don’t depend on these modems.
- Inventory which systems actually use the Agere drivers.
- Replace legacy hardware with modern alternatives, or get vendor-signed drivers if any exist.
- Temporarily isolate, on segmented networks, machines that still need the affected hardware.
The case sums up a pattern that keeps coming back: when third-party code is abandoned and demonstrably exploitable, removing it beats propping up a patch on a base that won’t hold. That same instinct to shrink attack surface and privileges is what drives mandatory access control tools on Linux such as SELinux and AppArmor.
If you manage Windows machines, take a look at the rest of the January 2026 Patch Tuesday too, which fixed 114 flaws, three of them zero-days. For details on the affected system, see the Windows Desktop page.