Microsoft Patch Tuesday – January 2026
Contents
⚡ TL;DR | Go Straight to the January 2026 Patch Tuesday Audit Report
Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The January 2026 edition of Patch Tuesday brings us 114 fixes, with 8 rated as critical, 1 of which is actively exploited. We’ve listed the most important changes below.
Desktop Window Manager Information Disclosure Vulnerability
The only exploited vulnerability this month is CVE-2026-20805, an information disclosure issue in Windows Desktop Window Manager (DWM) where a local attacker with low privileges can, without user interaction, extract sensitive process/memory-related data. Specifically a user-mode memory section address from a remote ALPC port which can undermine protections like address randomization and make other attacks easier to chain.
Microsoft indicates exploitation has been detected.
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
CVE-2026-20854 is a Critical remote code execution vulnerability in Windows Local Security Authority Subsystem Service (LSASS) caused by a use-after-free memory flaw, where an authenticated attacker with low privileges can trigger LSASS to reference invalid memory during authentication.
While Microsoft rates exploitation less likely due to the high attack complexity, it’s still a high-signal remediation item because LSASS is central to Windows authentication and security enforcement.
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
CVE-2026-20876 is a Critical elevation-of-privilege issue in the Windows VBS Enclave caused by a heap-based buffer overflow, where a local attacker who already has high privileges can, without user interaction and with low complexity, exploit the enclave to elevate into Virtual Trust Level 2 (VTL2) effectively breaching a key virtualization-backed security boundary that’s meant to keep sensitive operations and secrets isolated.
Microsoft currently rates exploitation as less likely and there’s no public disclosure or known exploitation, the potential impact is high across confidentiality, integrity, and availability, so treat it as a high-priority hardening item on devices where VBS is enabled.
Run the Patch Tuesday January 2026 Audit
To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.
The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!
Patch Tuesday January 2026 CVE Codes & Titles
| CVE Number | CVE Title |
| CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| CVE-2026-21226 | Azure Core shared client library for Python Remote Code Execution Vulnerability |
| CVE-2026-21224 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| CVE-2026-21221 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| CVE-2026-21219 | Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
| CVE-2026-20965 | Windows Admin Center Elevation of Privilege Vulnerability |
| CVE-2026-20963 | Microsoft SharePoint Remote Code Execution Vulnerability |
| CVE-2026-20962 | Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
| CVE-2026-20959 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2026-20958 | Microsoft SharePoint Information Disclosure Vulnerability |
| CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-20956 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-20951 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-20950 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-20949 | Microsoft Excel Security Feature Bypass Vulnerability |
| CVE-2026-20948 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-20947 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-20946 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2026-20943 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| CVE-2026-20941 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| CVE-2026-20940 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-20939 | Windows File Explorer Information Disclosure Vulnerability |
| CVE-2026-20938 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| CVE-2026-20937 | Windows File Explorer Information Disclosure Vulnerability |
| CVE-2026-20936 | Windows NDIS Information Disclosure Vulnerability |
| CVE-2026-20935 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| CVE-2026-20934 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-20932 | Windows File Explorer Information Disclosure Vulnerability |
| CVE-2026-20931 | Windows Telephony Service Elevation of Privilege Vulnerability |
| CVE-2026-20929 | Windows HTTP.sys Elevation of Privilege Vulnerability |
| CVE-2026-20927 | Windows SMB Server Denial of Service Vulnerability |
| CVE-2026-20926 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-20925 | NTLM Hash Disclosure Spoofing Vulnerability |
| CVE-2026-20924 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20923 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability |
| CVE-2026-20921 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-20920 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-20919 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-20918 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20877 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| CVE-2026-20875 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| CVE-2026-20874 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20873 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20872 | NTLM Hash Disclosure Spoofing Vulnerability |
| CVE-2026-20871 | Desktop Windows Manager Elevation of Privilege Vulnerability |
| CVE-2026-20870 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2026-20869 | Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
| CVE-2026-20868 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2026-20867 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20866 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20865 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20864 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| CVE-2026-20863 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-20862 | Windows Management Services Information Disclosure Vulnerability |
| CVE-2026-20861 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20860 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-20859 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
| CVE-2026-20858 | Windows Management Services Elevation of Privilege Vulnerability |
| CVE-2026-20857 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2026-20856 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| CVE-2026-20853 | Windows WalletService Elevation of Privilege Vulnerability |
| CVE-2026-20852 | Windows Hello Tampering Vulnerability |
| CVE-2026-20851 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| CVE-2026-20849 | Windows Kerberos Elevation of Privilege Vulnerability |
| CVE-2026-20848 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-20847 | Microsoft Windows File Explorer Spoofing Vulnerability |
| CVE-2026-20844 | Windows Clipboard Server Elevation of Privilege Vulnerability |
| CVE-2026-20843 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| CVE-2026-20842 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2026-20840 | Windows NTFS Remote Code Execution Vulnerability |
| CVE-2026-20839 | Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
| CVE-2026-20838 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2026-20837 | Windows Media Remote Code Execution Vulnerability |
| CVE-2026-20836 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| CVE-2026-20835 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| CVE-2026-20834 | Windows Spoofing Vulnerability |
| CVE-2026-20833 | Windows Kerberos Information Disclosure Vulnerability |
| CVE-2026-20832 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
| CVE-2026-20831 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-20830 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| CVE-2026-20829 | TPM Trustlet Information Disclosure Vulnerability |
| CVE-2026-20828 | Windows rndismp6.sys Information Disclosure Vulnerability |
| CVE-2026-20827 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| CVE-2026-20826 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| CVE-2026-20825 | Windows Hyper-V Information Disclosure Vulnerability |
| CVE-2026-20824 | Windows Remote Assistance Security Feature Bypass Vulnerability |
| CVE-2026-20823 | Windows File Explorer Information Disclosure Vulnerability |
| CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
| CVE-2026-20821 | Remote Procedure Call Information Disclosure Vulnerability |
| CVE-2026-20820 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2026-20819 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| CVE-2026-20818 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2026-20817 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
| CVE-2026-20816 | Windows Installer Elevation of Privilege Vulnerability |
| CVE-2026-20815 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| CVE-2026-20814 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| CVE-2026-20812 | LDAP Tampering Vulnerability |
| CVE-2026-20811 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-20810 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-20809 | Windows Kernel Memory Elevation of Privilege Vulnerability |
| CVE-2026-20808 | Windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
| CVE-2026-20804 | Windows Hello Tampering Vulnerability |
| CVE-2026-20803 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-0386 | Windows Deployment Services Remote Code Execution Vulnerability |
| CVE-2024-55414 | Windows Motorola Soft Modem Driver Elevation of Privilege Vulnerability |
| CVE-2023-31096 | MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability |
Ready to get started?
You’ll be up and running in no time.
Explore all our features, free for 14 days.