Patch Tuesday January 2026 - Critical Microsoft Security Patches Released Including Vulnerabilities Being Actively Exploited in the Wild

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

CVE-2026-20805 - 5.5 - Desktop Window Manager Information Disclosure Vulnerability

Kev Breen, Senior Director, Cyber Threat Research, Immersive

The first release of patches for Microsoft in 2026, and top of the list for patching is CVE-2026-20805, an information disclosure vulnerability in the Desktop Window Manager. Don't be fooled by its relatively low score of 5.5, with active exploitation detected in the wild by Microsoft, which means threat actors are already using this against organizations. 

The flaw leaks a memory address from a remote ALPC port. This type of information disclosure vulnerability is often used to defeat Address Space Layout Randomization (ASLR) - a security feature in modern operating systems designed to protect against buffer overflows and other exploits that rely on manipulating the memory of a running application. Once they know where code resides in memory, they can chain this with a separate code execution bug to turn a difficult exploit into a reliable one.
Microsoft doesn't provide any information on what other components that chain could involve - making it harder for defenders to threat hunt for potential exploitation attempts, meaning patching quickly is the only mitigation for now. 

CVE-2026-20840, CVE-2026-20922 - Windows NTFS Remote Code Execution Vulnerability

‍Kev Breen, Senior Director, Cyber Threat Research, Immersive

Also high on the list is a pair of heap-based buffer overflow vulnerabilities in Windows NTFS Microsoft has flagged both as "Exploitation More Likely," signaling that the technical barriers to weaponization are low. These vulnerabilities were reported by a third party to Microsoft - meaning technical write-ups could follow, making this a possible n-day vulnerability if technical details are made public, providing a small window to apply patches.

Despite the "Remote Code Execution" label, this is a local vulnerability, meaning that either an attacker must already have access to run code on the vulnerable host through another exploit, or if this is a file based exploit, then it may be exploitable through social engineering techniques like phishing emails, with attachments or tricking users in to downloading and running malicious files. 

Previous NTFS vulnerabilities have often used Virtual Hard Disk (VHD) as the delivery mechanism. These are not common file types for end users to be interacting with, so a proactive step would be to monitor for Virtual Disk Images being downloaded or received through emails. 

‍CVE-2026-20856 - 8.1 - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

‍Kev Breen, Senior Director, Cyber Threat Research, Immersive

CVE-2026-20856 is a standout vulnerability in this patch cycle, a remote code execution vulnerability affecting the Windows Server Update Service (WSUS). The reason this stands out is that we observed active exploitation of WSUS servers at the end of 2025. 

Despite the history of exploitation of this service, Microsoft has marked this one as “Exploitation Less Likely”. This is accompanied by a note indicating that successful exploitation relies on a machine-in-the-middle (MiTM) attack, where the attacker is able to read or modify network traffic between the target and the WSUS server.

While this does increase the difficulty, motivated and capable fincrime threat and especially  nation-state or state-sponsored threat actors will likely have this capability. This means understanding your own threat landscapes and the potential impact must be considered when prioritising patches and not just relying on Microsoft's assessment or CVSS scores. 

‍