January 2026 Patch Tuesday: Patch Windows 10 Now for DWM Zero‑Day and 112 CVEs

Windows 10 users should install the January 2026 security updates without delay: Microsoft’s first Patch Tuesday of the year fixed more than a hundred vulnerabilities — including an actively exploited zero‑day in the Desktop Window Manager — and federal agencies have already been ordered to remediate specific flaws by set deadlines. These updates close widely abused information‑disclosure and privilege‑escalation gaps, remove decades‑old vulnerable drivers, and include fixes that prevent future Secure Boot problems; delaying installation meaningfully increases the odds that attackers will exploit leaked memory information to chain into full system compromise.

Background / Overview​

Microsoft’s January 2026 Patch Tuesday was unusually large and consequential. Industry trackers report the update bundle addresses roughly 112–114 CVEs spanning Windows, Office, and server products, with multiple zero‑day and security‑feature‑bypass fixes. One of those — CVE‑2026‑20805, an information‑disclosure bug in the Desktop Window Manager (DWM) — is confirmed to be actively exploited in the wild and was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog with a federal remediation due date. This headline item is coupled with practical, long‑term concerns for Windows 10 users. Windows 10’s standard support ended in October 2025 and Microsoft is offering a limited consumer Extended Security Updates (ESU) program that allows eligible Windows 10, version 22H2 devices to receive security‑only fixes through October 13, 2026 — but enrollment and eligibility matter. Community threads and advisories have been warning for months that unpatched or unenrolled Windows 10 machines face elevated exposure to mass scanning and exploit campaigns.

---

What changed in January’s Patch Tuesday​

The headline: an actively exploited Desktop Window Manager (DWM) flaw​

• CVE‑2026‑20805 is an information disclosure vulnerability affecting DWM. Successful exploitation allows an authorized local attacker to reveal user‑mode memory addresses (notably section addresses associated with remote ALPC ports), information that can be used to defeat mitigations such as Address Space Layout Randomization (ASLR) and make follow‑on code execution far easier. Microsoft, NIST/NVD, and multiple security vendors confirmed the bug and its inclusion in CISA’s KEV catalog. Federal agencies must remediate per CISA’s schedule.
• The documented CVSS base score for CVE‑2026‑20805 is 5.5 (medium), but vendors and researchers warn the operational risk is higher because memory disclosure is a common enabler for rapid privilege escalation or remote code‑execution chains. Treat this as a high‑priority patch even if the numeric CVSS looks moderate.

Other important fixes included in the bundle​

• Secure Boot certificate expiration / security‑feature‑bypass — Microsoft shipped updated certificates and mitigations for Secure Boot certificate issues (CVE‑2026‑21265). Systems that miss this update may later fail to trust boot components or be left unable to apply future firmware/boot protections if certificates expire.
• Legacy driver removals — Microsoft removed old Agere and Motorola soft‑modem drivers that have persisted in Windows and historically carried elevation‑of‑privilege risks (e.g., CVE‑2023‑31096). Organizations using legacy telephony or specialized embedded hardware should validate driver compatibility post‑update.
• Multiple remote code execution (RCE) and elevation‑of‑privilege (EoP) fixes across Windows and Office: vendor reviews list dozens of privilege‑escalation and RCE CVEs that enterprises should triage based on exposure and exploitability.

Discrepancies in CVE counts — why numbers differ​

Different vendors and news outlets reported the total CVE count as 112, 113, or 114. These slight discrepancies stem from how republished CVEs, third‑party driver fixes, and Microsoft’s own advisory edits are counted by each analyst. The practical takeaway is simple: the update is large and contains multiple high‑impact fixes; treat it as urgent regardless of the exact headline count.

---

Why the DWM information leak matters technically​

What the bug leaks and why that helps attackers​

Memory disclosure bugs like CVE‑2026‑20805 don’t directly give an attacker code execution, but they let attackers read internal addresses and layout information. With that intelligence an attacker can:

• Determine the location of libraries or objects in memory.
• Bypass ASLR and other memory‑randomization protections.
• Construct reliable exploits or chain with a separate RCE/EoP bug to escalate to arbitrary code execution.

Security research and vendor analyses explicitly point out that leaked ALPC/section addresses are exactly the sort of artifact attackers use to turn a local foothold into a system‑level compromise. Because the flaw is already observed being exploited, defenders must assume attackers are actively attempting those next stages.

Operational impact: when disclosure becomes dangerous​

• On isolated single‑user machines the practical exploitation path requires local access in many documented scenarios — for example, a low‑privilege process or a malicious user account gaining a foothold. In enterprise environments, however, attackers commonly combine local leaks with network vectors (phishing, remote services) to escalate across the estate. That’s why CISA’s KEV listing triggered binding remediation guidance for federal agencies.
• Memory disclosures are high‑value components in modern exploit toolkits; once an attacker can defeat ASLR reliably, many previously hard‑to‑exploit bugs become practical. Patching the leak closes that enabler and reduces attacker success rates against other, potentially more severe vulnerabilities.

---

Windows 10 users: special considerations (EOL, ESU, and enrollment)​

End of standard support and the ESU bridge​

Microsoft ended mainstream Windows 10 support on October 14, 2025. For consumers who need more time, Microsoft has a Windows 10 consumer Extended Security Updates (ESU) program that provides critical and important security updates through October 13, 2026 for eligible devices running Windows 10 version 22H2. Enrollment options include a free route that requires syncing settings to a Microsoft Account, redeeming Microsoft Rewards points, or a one‑time paid option. Devices must meet prerequisites and be on the qualifying build to receive ESU updates.

Why enrollment and prompt patching matter now​

• Devices not enrolled in ESU and not upgraded to Windows 11 will stop receiving vendor‑signed security patches; unpatched machines become attractive targets for automated scanning and mass exploitation campaigns. Community alerts and forum threads have repeatedly stressed that federal and high‑value targets will be prioritized by adversaries, and public advisories have urged immediate enrollment or migration.
• ESU is a short bridge, not a long‑term plan. Even with ESU, users should plan migration or system replacement; relying on the bridge forces future technical debt and a sustained security burden.

---

Practical guidance: how to patch and verify​

Applying the January 2026 fixes is straightforward for most users, but follow these steps to ensure updates land cleanly and you don’t accidentally skip important prerequisites.

• Backup first: create a full system backup or at minimum ensure critical data is copied to a safe location. This reduces disruption risk if an update interacts with legacy drivers or specialized software.
• Confirm ESU/OS status: Windows 10 users should verify they’re on version 22H2 and enrolled in ESU if they intend to remain on Windows 10 past October 2025. Microsoft’s ESU enrollment is available via Settings → Update & Security → Windows Update.
• Check Windows Update: open Settings → Update & Security → Windows Update and select Check for updates. Install the offered cumulative/security updates and any associated Servicing Stack Updates (SSUs) or firmware updates recommended by Microsoft.
• Reboot and verify: many updates require one or more reboots. After rebooting, validate the update via Settings → Update History and confirm the relevant KB numbers are present.
• For managed fleets: deploy patches in test rings, monitor telemetry for regressions, and prioritize endpoints exposed to remote access and high‑privilege systems. Use patch orchestration and vulnerability management tools to confirm compliance.

Special notes for administrators​

• Prioritize systems that process sensitive data or are internet‑facing. CISA KEV additions (e.g., CVE‑2026‑20805) carry compliance deadlines for federal agencies and should be treated as high priority.
• Be cautious with firmware/BIOS updates tied to Secure Boot certificate changes. Vendor BIOS updates may be needed to align platform firmware with Microsoft’s new Secure Boot certificates; coordinate with OEMs to avoid bricking or boot‑failures on legacy hardware. SANS and other analysts explicitly warned about the need to apply updates before certificate expiry windows in 2026.

---

Known issues and the tradeoffs of rapid patching​

Updates can introduce regressions — evidence from January 2026​

Microsoft’s January security rollups were large and, in related events, some early 2026 updates for Windows 11 caused functional regressions that required emergency fixes (for example, shutdown/hibernation problems and Remote Desktop login issues resolved by a quick corrective update). That reality means organizations should balance urgency with controlled rollout: patch quickly, but use staggered deployment and monitoring for side effects.

Balancing immediate risk vs. operational impact​

• Immediate patching reduces exposure to active exploitation but may cause compatibility problems with niche drivers or older third‑party software. For isolated or offline devices used with legacy hardware, consider temporary network isolation if immediate patching would break critical workflows; plan a remediation path that includes driver updates or hardware replacement.
• For home users: the simplest safe path is to apply updates promptly and keep robust backups. For managed enterprises, adopt a rapid‑patch ring (test → pilot → broad) and ensure rollback procedures and endpoint recovery plans are in place.

---

What to watch next — post‑patch threat surface and researcher guidance​

• Detection and monitoring: security teams should hunt for indicators of DWM abuse (unexpected ALPC behavior, process memory inspection anomalies) and for exploitation artifacts that indicate aliasing into kernel or service processes. Vendors are already publishing detection guidance and detection content for SIEM/SOAR platforms.
• Watch for chained attacks: because information‑disclosure flaws amplify the risk of other bugs, defenders should assume adversaries will attempt to combine the DWM leak with privilege‑escalation or remote code vulnerabilities. Harden lateral movement controls and restrict local execution of untrusted binaries.
• Firmware and OEM coordination: Secure Boot related fixes may require BIOS updates. Track OEM advisories and schedule firmware updates alongside Windows patches to avoid mismatches that could trigger boot errors.

---

Strengths and weaknesses of Microsoft’s response — critical analysis​

Notable strengths​

• Rapid patch release cycle: Microsoft released a large set of fixes quickly and worked with government agencies to identify and prioritize actively exploited flaws. The inclusion of updated Secure Boot certificates and removal of legacy vulnerable drivers demonstrates a willingness to remove long‑standing systemic weak points rather than only slapping on bandaids.
• Clear federal escalation: CISA’s KEV listing and the accompanying remediation deadlines provided unambiguous guidance to federal and critical infrastructure entities, which helps force prioritization in complex IT estates.

Potential weaknesses and risks​

• Patch size and regression risk: a very large bundle increases the chance of regressions. The early‑January Windows 11 out‑of‑band issue that prevented shutdowns shows that even major vendors can introduce functional regressions that demand emergency fixes. That dynamic complicates a clear "patch immediately" call for administrators who must weigh downtime and compatibility risk.
• Communication and counts mismatch: inconsistent CVE totals across vendor writeups create noise for decision‑makers and can obscure triage priorities. Public advisories succeeded in highlighting the KEV items, but the sheer volume of fixes increases cognitive load for defenders.
• Windows 10 lifecycle friction: Microsoft’s ESU enrollment requirements (including Microsoft Account linkage for consumers) and the short‑term nature of the ESU program create practical and privacy tradeoffs for users who prefer local accounts or who operate legacy hardware that won’t accept firmware updates. Those constraints mean some users will struggle to stay patched and secure.

---

Quick checklist — immediate steps for every Windows 10/11 user​

• Apply the January 2026 security updates now via Windows Update. Reboot as required and confirm installation in Update History.
• If you’re on Windows 10 and not yet upgraded to Windows 11, enroll in the Consumer ESU (if eligible) or begin a migration plan. ESU enrollment options and the final ESU end date (October 13, 2026) are available on Microsoft’s site.
• Backup before patching; validate critical apps and device drivers after updates.
• For enterprises: prioritize endpoints exposed to networks and remote access; deploy in rings and monitor telemetry for post‑update regressions.
• Maintain endpoint detection tools and threat hunting — memory‑leak disclosures commonly appear as the precursor to exploitation chains.

---

Final assessment and closing​

January’s Patch Tuesday is a reminder that modern Windows security is a moving target: attackers seek subtle information leaks and legacy artifacts, while defenders must juggle urgent patching with operational resilience. The confirmed active exploitation of CVE‑2026‑20805 in the Desktop Window Manager elevates this month’s release from routine housekeeping to a must‑install security event for almost every Windows environment. At the same time, the ecosystem shows familiar tradeoffs — ESU is a temporary bridge, large rollouts can introduce regressions, and firmware/driver coordination is essential to avoid boot or compatibility failures. The practical imperative is clear: install the updates, verify them, and treat the DWM fix and Secure Boot certificate updates as top priorities. For users remaining on Windows 10, confirm ESU enrollment if you will not migrate immediately. For administrators, triage, test, and deploy rapidly while maintaining rollback and recovery options. The adversary window created by unpatched systems is real — and this patch set removes a highly useful tool from attackers’ toolkits if it’s applied broadly and quickly. If there’s any lingering uncertainty about whether your device is covered or how to enroll in ESU, Microsoft’s official guidance and the ESU enrollment pages are the authoritative references to consult — and community discussions have repeatedly emphasized the same practical advice: patch, back up, and plan migration rather than relying on temporary workarounds.

---

Source: Inbox.lv News feed at Inbox.lv -