Microsoft's January 2026 Patch Tuesday: Critical Vulnerabilities and Legacy Modem Drivers
Microsoft has released patches to address a total of 113 security vulnerabilities across its Windows operating systems and supported software. Eight of these vulnerabilities are rated as 'critical', and Microsoft warns that attackers are already exploiting one of the fixed bugs. The January zero-day flaw, CVE-2026-20805, is a Desktop Window Manager (DWM) vulnerability that could be chained with other code execution flaws to create a practical and repeatable attack. Despite a moderate CVSS score, Microsoft confirms active exploitation, highlighting the need for rapid patching.
Chris Goettl, vice president of product management at Ivanti, emphasizes the severity of CVE-2026-20805, affecting all supported Windows versions. He advises treating it as a higher severity than its vendor rating or CVSS score. Two critical Microsoft Office remote code execution bugs, CVE-2026-20952 and CVE-2026-20953, can be triggered by viewing a booby-trapped message in the Preview Pane.
Adam Barnett at Rapid7 highlights the removal of legacy modem drivers due to vulnerabilities. Microsoft has removed agrsm64.sys and agrsm.sys, developed by a now-defunct third party, from Windows. Barnett raises concerns about the presence of other legacy modem drivers and the potential for further elevation-to-SYSTEM vulnerabilities. He warns that the mere presence of the driver is enough to render an asset vulnerable.
Another critical issue is CVE-2026-21265, a Security Feature Bypass vulnerability affecting Windows Secure Boot. This feature, designed to protect against rootkits and bootkits, relies on certificates set to expire in June and October 2026. After expiration, devices without new 2023 certificates won't receive Secure Boot security fixes.
Mozilla has released updates for Firefox and Firefox ESR, resolving 34 vulnerabilities, two of which are suspected to be exploited. Google Chrome and Microsoft Edge updates are expected this week, along with a high-severity vulnerability in Chrome WebView resolved in the January 6 Chrome update.
For Windows admins, the SANS Internet Storm Center provides a detailed breakdown of patch severity and urgency. Askwoody.com offers news on patches that may cause issues. Readers are encouraged to share any installation issues in the comments.
