On 13 January 2026 Microsoft shipped the year’s first Patch Tuesday and addressed 114 vulnerabilities across its product line (113 CVEs according to the NVD). The standouts are three zero-days: one actively exploited and two made public before the patch arrived. LinuxGratis is a directory focused on free operating systems, but we track these bulletins closely because plenty of administrators run mixed estates where Windows sits alongside Linux, and because several of these flaws hit network-facing services.
What was fixed
Here is how the 114 flaws break down by type:
- 57 elevation of privilege (EoP)
- 22 remote code execution (RCE)
- 22 information disclosure
- 5 spoofing
- 3 security feature bypass
- 2 denial of service
Of these, 8 were rated critical: 6 remote code execution and 2 elevation of privilege. Affected products include Windows 10 and 11, Windows Server, Microsoft Office, Excel, SQL Server and Azure.
The three zero-days
CVE-2026-20805 (Desktop Window Manager) is the only one under active exploitation. It is an information disclosure vulnerability that lets a local, authenticated attacker read memory addresses. In practice it defeats Address Space Layout Randomization (ASLR) and pairs with a code-execution bug to build reliable exploits. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog that same day, 13 January.
CVE-2026-21265 (Secure Boot) is a publicly disclosed zero-day tied to the expiration of Microsoft certificates stored in UEFI (2011-era certificates expiring between June and October 2026). Systems that go unpatched face a higher risk of Secure Boot protections being bypassed.
CVE-2023-31096 (Agere Soft Modem driver) was also publicly disclosed. This elevation-of-privilege flaw lives in a third-party driver that shipped natively with Windows, and it was resolved by removing the vulnerable drivers (agrsm64.sys and agrsm.sys) from the system.
Critical flaws to watch
Among this month’s critical RCEs, CVE-2026-20953 and CVE-2026-20952 in Microsoft Office stand out, exploitable via malicious documents. The Preview Pane acts as a vector, so a victim can be compromised without ever opening the file. CVE-2026-20854 affects LSASS, the service that manages authentication and system security policy, which makes it especially sensitive. Microsoft Excel piled up several critical RCEs that fire through crafted spreadsheets.
Who is affected and mitigation
The overall severity of the bulletin is critical, mostly because of the in-the-wild zero-day and the Office RCEs, which lend themselves to mass phishing campaigns. Mitigation is straightforward: apply the January 2026 cumulative updates via Windows Update or WSUS as soon as you can, starting with machines running Office exposed to email and servers running LSASS or network roles. If you manage mixed Linux and Windows environments, check your Secure Boot certificate inventory too, with an eye on its expiration throughout 2026.