Microsoft’s 2026 Kickoff: 110+ Patches Fix Active Zero-Days and Office Flaws

Microsoft has inaugurated its first Patch Tuesday of 2026, disseminating a comprehensive suite of mandatory security remediations for Windows, Office, and associated server ecosystems. Within this deployment, the corporation has neutralized over a hundred vulnerabilities, encompassing both latent flaws capable of facilitating arbitrary code execution and active “in-the-wild” exploits.

The January compendium of fixes addresses more than 110 CVE identifiers, including three formidable zero-day vulnerabilities. Furthermore, eight defects have been designated as high-risk, characterized by an elevated likelihood of exploitation. The remaining vulnerabilities predominantly involve privilege escalation, sensitive information exfiltration, and the perennial threat of remote code execution (RCE).

The most salient fix concerns CVE-2026-20805, a flaw residing within the Desktop Window Manager. Categorized under information disclosure, Microsoft corroborates that this vulnerability was actively weaponized by adversaries to access protected memory segments, thereby simplifying the orchestration of complex, multi-stage attack chains.

Accompanying this are two additional zero-day remediations: one involving the Secure Boot Certificate mechanism, addressing certificate expirations that could jeopardize system boot integrity by mid-year, and another pertaining to privilege escalation within Windows Digital Media. While neither has seen widespread exploitation, Microsoft has classified both as “important” priorities.

Beyond these, several other critical vulnerabilities merit specific attention:

• CVE-2026-20854: A remote code execution flaw within the Local Security Authority Subsystem Service (LSASS), theoretically empowering an assailant to seize total systemic control.

• CVE-2026-20952 & CVE-2026-20953: Critical vulnerabilities within Microsoft Office that permit arbitrary code execution via meticulously crafted documents.

• CVE-2026-20822: A privilege escalation defect within the Windows Graphics component.

• CVE-2026-20876: A failure in the VBS Enclave virtualization mechanism, which could allow an adversary to elevate permissions within an otherwise isolated environment.

These entries represent merely a fraction of the noteworthy CVEs integrated into the January cycle. As is customary, the patches encompass a broad spectrum of products, including supported iterations of Windows 11 and 10, server editions, .NET frameworks, and collaborative utilities. This inaugural Patch Tuesday serves as a sobering reminder that the crusade against vulnerabilities is ceaseless, demanding unwavering vigilance even during the holiday season.

The update is currently available via Windows Update, manual download catalogs, and enterprise patch management systems. Security experts and administrators strongly exhort immediate installation, particularly on networked devices, to mitigate the risk of successful incursions against unfortified systems.