Microsoft's January Patch Tuesday Addresses 112 Critical Vulnerabilities

Microsoft’s January 2026 Patch Tuesday fixed 112 vulnerabilities across Windows and other products (114 when including Chromium-related updates), including an actively exploited Windows Desktop Window Manager (DWM) information disclosure bug tracked as Common Vulnerabilities and Exposures (CVE) CVE-2026-20805, according to Trend Micro’s Zero Day Initiative (ZDI). “Patch Tuesday” refers to Microsoft’s monthly security update release, typically published on the second Tuesday of each month, covering Windows and other Microsoft products. CrowdStrike’s Patch Tuesday review described the release as including three zero-days (one actively exploited and two publicly disclosed). Actively exploited DWM bug CISA has since added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog, setting a February 3, 2026 remediation deadline for federal civilian agencies under BOD 22-01. While the specific threat actors haven’t been named, experts from Immersive and Trend Micro warn that CVE-2026-20805 is being used as a critical “chain link” in active attacks. While the bug only leaks information, hackers use it to defeat Address Space Layout Randomization (ASLR), transforming what would be a complex, unreliable attempt to crash a system into a predictable and repeatable breach. ASLR is like a security guard who moves the company’s most valuable files to a different, random room every single day. Even if a thief knows where the files were yesterday, they won’t be there today. KEV adds Gogs risk Separately, CISA’s latest KEV update cycle also includes CVE-2025-8110, a critical Gogs self-hosted Git service vulnerability, with a February 2, 2026 federal remediation deadline, tightening patch windows for agencies and contractors that run internal developer infrastructure. Wiz’s write-up on CVE-2025-8110 describes a symlink bypass that can be abused to write files outside intended paths via Gogs’ API, a risk profile that matters most in environments where repos store CI/CD secrets, infrastructure configs, or credentials used downstream. Patch volume and exploit mix Patch volume is also climbing again. CrowdStrike counted 57 CVEs in Microsoft’s December 2025 release; ZDI’s January tally nearly doubles that baseline, underscoring why many security teams treat Patch Tuesday as a standing production event, not an “IT hygiene” task. CrowdStrike’s risk analysis said the leading exploitation techniques in the January release were elevation of privilege (57 patches), followed by remote code execution (22) and information disclosure (22). It also noted Windows accounted for the bulk of fixes (93), followed by Office (16). For Office, Microsoft’s own support documentation for Office 2016 ties January’s security update to CVE-2026-20952 and CVE-2026-20953. (National Vulnerability Database entries for those CVEs describe “use-after-free” behavior in Microsoft Office; details like exploitation conditions vary by product channel and build.) Credential intrusions and modernization backdrop Alongside exploit-driven patch urgency, federal agencies are also confronting credential-led intrusions that don’t require a software vulnerability. The U.S. Department of Justice stated that Nicholas Daniel Moore, 24, pleaded guilty to computer intrusion activity involving the U.S. Supreme Court’s electronic filing system and other networks, utilizing stolen credentials to access accounts and obtain sensitive information. That pattern aligns with CISA’s repeated warnings (in multiple joint advisories) that threat actors routinely pursue credential access, via password spraying, brute force, and related techniques, to compromise accounts, underscoring why identity controls are treated as a core defensive layer in federal zero-trust programs.