Microsoft Patches 114 Flaws in January 2026 Update, One Exploited in the Wild
Microsoft released its January 2026 security update, fixing 114 vulnerabilities (8 critical; 106 important), including one actively exploited in the wild: CVE-2026-20805 in Desktop Window Manager that could disclose memory details via ALPC. CISA has added this to KEV with a February 3 patch deadline for federal agencies. Other notable fixes include a Secure Boot certificate-expiration bypass (CVE-2026-21265), removal of vulnerable Agere modem drivers tied to older CVEs, and a critical VBS Enclave privilege-escalation (CVE-2026-20876). Edge and other vendor patches accompany the update.