Microsoft Patches 113 CVEs Including Actively Exploited Zero-Day

Microsoft's January 2026 Patch Tuesday dropped yesterday with fixes for 113 vulnerabilities across its product ecosystem. The headline: CVE-2026-20805, an information disclosure flaw in Desktop Window Manager that attackers are already exploiting in the wild.

CISA wasted no time. Within hours of Microsoft's advisory, the agency added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, giving federal agencies until February 3, 2026 to apply the fix.

What Makes CVE-2026-20805 Dangerous

The vulnerability carries a CVSS score of 5.5—medium severity on paper. But the "actively exploited" designation changes the calculus. Attackers are using this bug right now.

CVE-2026-20805 enables memory address leakage via remote ALPC port connections. On its own, leaking memory addresses doesn't give an attacker system access. But this is classic exploit chain fodder. The disclosure undermines Address Space Layout Randomization (ASLR), a core Windows defense against buffer overflow attacks.

With ASLR bypassed, attackers can reliably predict where code and data structures sit in memory. That makes subsequent exploitation—typically an RCE bug—far more consistent. An attacker chains CVE-2026-20805 with another vulnerability and the second exploit suddenly works every time instead of crashing sporadically.

Microsoft hasn't disclosed who's exploiting this or how widespread attacks have become. The company credited "an anonymous researcher" with the report.

Two More Zero-Days, Not Yet Exploited

Beyond the actively exploited bug, two other vulnerabilities were publicly disclosed before Microsoft released patches:

CVE-2026-21265 affects Windows Secure Boot. This CVSS 6.4 security feature bypass stems from expiring Microsoft certificates. Without updates, Secure Boot verification will fail on affected systems—potentially allowing unsigned code execution during the boot process. Microsoft notes this is a proactive fix rather than a response to attacks.

CVE-2026-20952 and CVE-2026-20953 are use-after-free vulnerabilities in Microsoft Office carrying CVSS scores of 8.4. Both can be triggered through the Preview Pane, meaning victims don't need to open a malicious document. Simply selecting a weaponized file in File Explorer is enough. These haven't been publicly disclosed or exploited, but preview-pane attack vectors have a history of being targeted quickly once patches reveal the bug class.

The Numbers

Of 113 total CVEs addressed:

• 8 rated Critical
• 105 rated Important
• Products affected: Windows, Office, .NET, Azure, Dynamics 365, Exchange Server, SharePoint

Notable critical-severity fixes include CVE-2026-20854 in Windows LSASS (use-after-free exploitable over network) and CVE-2026-20919 in SMB Server (elevation of privilege). Both are worth prioritizing alongside the actively exploited zero-day.

What You Should Do Now

If your organization runs Windows systems, this month's update package deserves immediate attention. CISA's February 3 deadline applies specifically to federal agencies, but the logic applies broadly: you're racing against attackers who already know how to exploit CVE-2026-20805.

For those managing Office deployments, the Preview Pane vulnerabilities are concerning. Consider whether disabling preview functionality is feasible while testing patches—it's a quick mitigation that eliminates the attack vector entirely.

Microsoft's January 2026 Security Update documentation provides the full list of affected products and version-specific remediation guidance.

Why This Matters

This Patch Tuesday continues a pattern we've seen throughout the past year: attackers increasingly target the gaps between patch release and patch deployment. The window from disclosure to exploitation keeps shrinking. CVE-2026-20805 was being exploited before most organizations even knew it existed.

Enterprises with effective vulnerability management programs will deploy these fixes within days. Everyone else becomes part of the attack surface.