Microsoft kicked off 2026 with what amounts to a full accounting of accumulated security debt. On January 13, the company released fixes for 112 vulnerabilities spanning Windows, Office, Azure, SQL Server, and more. Among them are one actively exploited zero-day, two publicly disclosed zero-days, and a ticking time bomb buried deep in Secure Boot infrastructure.
This is the third-largest January Patch Tuesday on record, a pattern Microsoft has established over recent years as software complexity and vulnerability discovery rates continue their upward march. But size alone doesn’t capture the story. It’s the particular nature of these flaws that matters.
The Actively Exploited Flaw
CVE-2026-20805 in the Desktop Window Manager allows an unauthenticated attacker with local access to leak user-mode memory addresses. Specifically, an attacker can extract section addresses from a remote ALPC (Advanced Local Procedure Call) port. What this really means is that adversaries can read memory locations that are supposed to stay hidden.
This matters because modern operating systems use address space layout randomization (ASLR) to make code locations unpredictable. An attacker needs to know where code lives before they can reliably exploit it. An Information disclosure like CVE-2026-20805 is a reconnaissance tool that transforms a risky, unreliable exploit chain into something actually workable. Within days of Microsoft’s patch release, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies patch by February 3, 2026.
Beyond the actively exploited flaw, Microsoft addressed two additional publicly disclosed zero-day vulnerabilities. One is CVE-2026-21265, affecting Windows Secure Boot. The flaw isn’t in Secure Boot itself, exactly. Instead, it concerns Microsoft’s Secure Boot signing certificates, initially issued in 2011. These certificates are approaching expiration. The KEK CA 2011 certificate expires June 24, 2026. The UEFI CA 2011 certificate expires June 27, 2026. The Windows Production PCA 2011 certificate expires October 19, 2026.
Without updated certificates, systems running older firmware can’t verify new Secure Boot updates. The risk isn’t dramatic exploitation so much as a slow degradation of security. Devices that don’t update will eventually be locked out of critical Secure Boot security patches. As one analyst noted, administrators might ignore this flaw not because it seems harmless, but because the implications feel distant. Yet that distance closes with every passing week.
Beyond the Secure Boot drama and the three zero-days, Microsoft classified eight vulnerabilities as Critical severity. Six are remote code execution flaws. Two are the elevation of privilege vulnerabilities.
Among them is CVE-2026-20854, a use-after-free vulnerability in Windows Local Security Authority Subsystem Service (LSASS). LSASS is the process that handles authentication and security policy enforcement on Windows. A successful exploit lets an authenticated attacker execute code remotely on Windows systems. While Microsoft notes that exploitation requires high attack complexity, LSASS is too central to skip. It’s where credentials live, where policy gets enforced, and where a foothold becomes a consolidation point.
Microsoft also patched multiple remote code execution flaws in Office applications. CVE-2026-20952 and CVE-2026-20953 affect Microsoft Office broadly, with CVSS scores of 8.4 each. These use-after-free vulnerabilities allow attackers to execute code on a target’s machine by convincing them to open a malicious file. It’s the attack vector that never gets old: email with an attachment, a message on Slack, a file shared through a cloud service. Social engineering remains the fastest path to code execution.
Everything Else: Elevation, Information Disclosure, and Denial of Service
The remaining 106 vulnerabilities carry Important severity ratings. The distribution tells a story about the Windows attack surface: 55 elevation of privilege, 22 information disclosure, 16 remote code execution, 5 spoofing, 3 Tampering, 3 Security Feature Bypass, and 2 denial-of-service vulnerabilities.
Elevation-of-privilege vulnerabilities deserve particular attention. These typically require some initial foothold or authentication but allow attackers to move from user-level access to system-level control. Organizations using the principle of least privilege can limit the blast radius, but privileged accounts remain targets. Multiple critical services got updates: Kerberos, Windows Installer, Windows Kernel Memory, Windows Remote Assistance, RRAS (Routing and Remote Access Service), and others.
What This Means for the Next 30 Days
Organizations need a tactical and strategic response. CISA has mandated federal agencies to patch CVE-2026-20805 by February 3. But that shouldn’t be the ceiling for everyone else. The actively exploited zero-day, coupled with multiple Office RCE vulnerabilities, means that unpatched systems are not a low-risk proposition.
Strategically, prioritize exposed infrastructure first. Anything reachable from the internet deserves immediate attention. VPN services, web-facing servers, email infrastructure, and file sharing services matter most. Then work inward. The Secure Boot certificate situation deserves a separate tracking item because it’s slow-moving but unavoidable. Organizations running firmware from 2011-era hardware without updates will need UEFI firmware updates to resolve it properly, not just OS patches.
Microsoft’s January release demonstrates an uncomfortable truth: the complexity of modern operating systems means that vulnerability density is no longer exceptional. The count of flaws has become nearly routine. What separates crisis from management is prioritization, testing windows, and the willingness to treat zero-days not as curiosities but as signals that the threat landscape has already changed.
