Microsoft Patch Tuesday – January 2026: DWM Vulnerability and Actively Exploited Zero-Day Response Guide

Act now. Microsoft confirmed an actively exploited zero-day. Learn about the information disclosure vulnerability that bypasses ASLR and how to defend against it.

Security Update Release

Microsoft dropped their regular security update on January 14, 2026.
This one's got a zero-day that’s already being exploited in the wild.
So yeah, not optional.

Look, security patching isn’t just routine maintenance.
I’ve been doing this long enough to know—if a hacker wants in, they’re getting in eventually.
That’s just how it is.
What we can do is make ourselves not worth the effort.
Minimize exposure, don’t give them easy wins, and hope they move on to someone else.

Sounds pessimistic?
Maybe.
But it works.
Let’s get into what this patch actually covers.

Key Security Updates

• 114 total vulnerabilities fixed
• 3 zero-days included
• 1 actively exploited zero-day confirmed
• 8 Critical rated (6 RCE + 2 privilege escalation)
• 57 privilege escalation vulnerabilities
• 22 remote code execution vulnerabilities
• 22 information disclosure vulnerabilities

Third largest January patch ever, behind January 2025 and January 2022.
Great.
More weekend work.

Zero-Day Vulnerability: CVE-2026-20805

This is the one you actually need to care about.
CVE-2026-20805.
Microsoft Threat Intelligence Center and Microsoft Security Response Center found it, and it’s confirmed actively exploited.

Hackers are using this right now.
Not theoretically.
Right now.

By itself it looks kinda meh—just info disclosure.
But here’s the thing that keeps me up at night: it's a force multiplier.
Combine it with other exploits and suddenly everything works better for the attacker.

Vulnerability Overview

Information disclosure in Windows Desktop Window Manager.
DWM.
The thing that literally draws everything on your screen.

Every process needs to display something, so DWM runs with high privileges.
You see where this is going.

CVSS 5.5.
Mid score, right?
Don’t let that fool you.
Real-world risk is way higher because this isn’t meant to be used alone.

Here’s the scenario that keeps showing up in my head.
Hacker gets in through phishing.
Basic user privileges, nothing special.
Then they hit CVE-2026-20805, leak some DWM memory addresses, and boom—ASLR is dead.
That privilege escalation exploit that was crashing systems half the time?
Now it's reliable.

“Information Disclosure → ASLR Bypass → Privilege Escalation.”
Classic chain.
Elegant, actually.
I hate it.

How The Attack Works

Exploiting this leaks memory addresses tied to remote ALPC ports.
ALPC is Advanced Local Procedure Call—how Windows components talk to each other internally.

Those leaked addresses let attackers bypass ASLR.
You know, the thing that’s supposed to randomize where code lives in memory so attackers can’t find it.

With DWM addresses exposed?
Attackers know exactly where to aim.
Unstable exploit code becomes a precision tool.
Fantastic.

DWM’s been a target before.
May 2024, CVE-2024-30051 got used to spread QakBot.
Over 20 DWM vulns patched since 2022.

Why does DWM keep getting hit?
Because it’s not just a graphics thing.
Apps don’t draw to the screen directly—DWM composites everything.
Low-privilege user input flows through a SYSTEM-level process.
It sits right at the boundry between user land and kernel land.
Perfect stepping stone.

Anyway.
Moving on.

Mitigation Steps

CISA threw this in the KEV catalog.
Federal agencies have until February 3, 2026.

For everyone else, here’s my priority list:

1. Remote work endpoints first.
   External-facing stuff.
   You know, the machines connecting from coffee shops on sketchy wifi.
2. Business PCs with complicated permission setups next.
3. Core systems and specialized equipment last, after you’ve tested.

Can’t patch immediately?
Restrict local low-priv account access.
Monitor DWM with your EDR.
Do what you can.

Affected systems:

Platform	KB Article	Build Number
Windows 10 v1809 (x64/32-bit)	KB5073723	10.0.17763.8276
Windows Server 2012 R2	KB5073696	6.3.9600.22968
Windows Server 2012	KB5073698	6.2.9200.25868
Windows Server 2016	KB5073722	10.0.14393.8783

EDR Can’t Detect This

This part’s frustrating.

Your EDR won’t catch this.
No files dropped.
No shells.
No weird processes spawning.
Just DWM doing normal ALPC stuff and leaking addresses on the side.
EDR sees nothing wrong.

Everything happens inside legit processes.
The malware talks to dwm.exe—a process that’s already running.
No injection, no child processes, nothing to flag.

DWM runs as SYSTEM.
Core Windows process.
EDR vendors don’t hook it aggressively because if something breaks, well.
You know who gets the tickets.

So they monitor “carefully.”
Which means they basically don’t.

This is a chain attack.
Front end looks normal.
Back end privilege escalation happens fast and quiet after ASLR’s already gone.
Logs look weird in hindsight but real-time detection?
Good luck.

Patch or suffer.
Those are your options.

Additional Public Zero-Days

Two more zero-days in this batch.
Not exploited yet, but public.

Standard stuff, honestly.
But worth knowing about.

Secure Boot Certificate Expiration: CVE-2026-21265

Certs from 2011 start expiring June 2026.
Secure Boot checks if firmware comes from trusted sources.
Expired certs = no verification = malware in your boot process.

Certificate	Expiration Date	Purpose
Microsoft Corporation KEK CA 2011	June 24, 2026	Signing DB and DBX updates
Microsoft Corporation UEFI CA 2011	June 27, 2026	Signing third-party bootloaders
Microsoft Windows Production PCA 2011	October 19, 2026	Signing Windows Boot Manager

Unpatched systems won’t get Boot Manager security fixes after expiration.
BlackLotus-style UEFI bootkits become a real threat.

January update renews to 2023 certs.
Inventory your assets.
Know your UEFI/Secure Boot status.
Plan accordingly.

Agere Soft Modem Driver: CVE-2023-31096

This one’s been public since 2023.
Just now getting fixed.
It happens.

Privilege escalation in Agere soft modem drivers.
SYSTEM privileges if exploited.

Microsoft’s fix?
Delete agrsm64.sys and agrsm.sys entirely.
Same thing they did with ltmdm64.sys back in October 2025.

No modem connected?
Doesn’t matter.
Driver exists = vulnerability exists.

ICS environments with ancient equipment, check your stuff after patching.
Should’ve replaced that hardware years ago, but.
Budget.
Always budget.

Additional Security Vulnerabilities

8 Critical-rated vulns this month.
6 RCE, 2 privilege escalation.

CVE-2026-20876 is a VBS Enclave privilege escalation.
Exploiting it gets you VTL2 privileges.
That’s bad.
Like, nuetralizing virtualization-based security entirely bad.

CVE-2026-20840 and CVE-2026-20922 are NTFS RCE vulns marked Exploitation More Likely.

Full list in the references.
I’m not typing all 114.

Final Thoughts

Another month, another patch cycle.

This job is mostly just patching things that break other things while explaining to people who don’t really need to understand.
It’s fine.
It’s the job.

Patch your systems.
It’s the only thing that actually works.

References

• Microsoft Security Update Guide - January 2026
• CVE-2026-20805 - Desktop Window Manager Information Disclosure
• CVE-2026-21265 - Secure Boot Certificate Expiration
• CISA Known Exploited Vulnerabilities Catalog
• Microsoft Tech Community - Secure Boot Certificate Update