Microsoft's January 2026 Patch Tuesday: Critical Security Holes and Legacy Modem Drivers
Microsoft has released a critical update, addressing at least 113 security vulnerabilities across its Windows operating systems and supported software. Eight of these vulnerabilities are deemed 'critical' by Microsoft, with one already being actively exploited by attackers. The zero-day flaw, CVE-2026-20805, is a Desktop Window Manager (DWM) issue, a core component of Windows. Despite a moderate CVSS score of 5.5, Microsoft confirms active exploitation, indicating threat actors are targeting organizations.
This vulnerability can undermine Address Space Layout Randomization (ASLR), a critical security measure against buffer overflows and memory manipulation. By revealing code memory locations, it can be chained with other execution flaws, creating a practical and repeatable attack. Microsoft's lack of disclosure on involved components limits defenders' proactive threat hunting, making rapid patching the only effective mitigation.
Chris Goettl, vice president of product management at Ivanti, emphasizes the severity of CVE-2026-20805, affecting all supported Windows OS versions. He advises treating it as a higher severity than its 'Important' rating and low CVSS score.
Among the critical flaws are two Microsoft Office remote code execution bugs, CVE-2026-20952 and CVE-2026-20953, triggered by viewing booby-trapped messages in the Preview Pane. In October 2025, Microsoft removed a modem driver due to a similar vulnerability abuse. Today, they removed agrsm64.sys and agrsm.sys, developed by a now-defunct third party, from Windows.
Adam Barnett at Rapid7 highlights the removal's significance, questioning how many more legacy modem drivers are present on fully-patched Windows assets and how many elevation-to-SYSTEM vulnerabilities will emerge before Microsoft halts attackers exploiting these drivers.
Another critical issue is CVE-2026-21265, a Security Feature Bypass vulnerability affecting Windows Secure Boot, a security feature against rootkits and bootkits. This vulnerability relies on certificates set to expire in June and October 2026. After expiration, Windows devices without new 2023 certificates won't receive Secure Boot security fixes.
When updating the bootloader and BIOS, Barnett advises thorough preparation for the specific OS and BIOS combination to avoid unbootable systems. Microsoft's root certificates, used since the Stuxnet era, are set to expire, prompting the release of replacement certificates in 2023.
Firefox and Firefox ESR updates address 34 vulnerabilities, two of which are suspected to be exploited. Google Chrome and Microsoft Edge updates are expected this week, along with a high-severity vulnerability in Chrome WebView, resolved in the January 6 Chrome update.
For detailed patch information, the SANS Internet Storm Center provides a breakdown by severity and urgency. Windows admins can monitor askwoody.com for patch-related news. Any installation issues can be discussed in the comments section.
