Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for Windows 10 (including ESU/LTSC) and Windows 11, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s KB5073724 (ESU) updates systems to build 19045.6809 (and LTSC 2021 to 19044.6809) and includes security/bug fixes plus a phased update to handle expiring Secure Boot certificates; it also removes legacy Agere modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys), which can break dependent modem hardware. Windows 11 cumulative updates KB5074109 (25H2/24H2) and KB5073455 (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments.
Third-party analysis of the same Patch Tuesday release reported 112 vulnerabilities (with 8 marked critical) and at least one vulnerability observed exploited in the wild: CVE-2026-20805. The critical issues highlighted include multiple remote code execution vulnerabilities across Windows components and Office applications (including LSASS, Word, Excel, and Office), plus elevation of privilege flaws such as CVE-2026-20822 (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and CVE-2026-20854 (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
Timeline
Feb 3, 2026
CISA sets February 3 deadline for federal agencies to patch CVE-2026-20805
Following the KEV addition, CISA required U.S. federal civilian agencies to remediate CVE-2026-20805 by February 3, 2026. The deadline reflected the vulnerability's active exploitation status.
Jan 13, 2026
CISA adds CVE-2026-20805 to the KEV catalog
After Microsoft disclosed the active exploitation of CVE-2026-20805, CISA added the flaw to its Known Exploited Vulnerabilities catalog. The listing made the issue a priority for defenders and federal agencies.
Jan 13, 2026
Microsoft begins phased rollout of updated Secure Boot certificates
The January 2026 updates started a phased deployment of refreshed Secure Boot certificates to address the upcoming expiration of older certificates. Microsoft also changed rollout behavior to use device targeting data for staged deployment.
Jan 13, 2026
Microsoft removes vulnerable legacy modem drivers in January updates
As part of the January 2026 Windows updates, Microsoft removed legacy Agere modem drivers and related files tied to an elevation-of-privilege issue, with some reports also noting Motorola soft modem driver removal. Microsoft warned this could break dependent legacy modem hardware.
Jan 13, 2026
Windows 10 ESU update KB5073724 released
Microsoft released Windows 10 extended security update KB5073724 for Windows 10 and Enterprise LTSC systems enrolled in the ESU program. The update included January 2026 security fixes, removed specific Agere modem driver files, addressed the WinSqlite DLL issue, and began phased Secure Boot certificate updates.
Jan 13, 2026
Windows 11 January cumulative updates KB5074109 and KB5073455 ship
Microsoft released mandatory Windows 11 cumulative updates KB5074109 and KB5073455 for versions 25H2/24H2 and 23H2. The updates delivered the January 2026 security fixes, removed certain legacy modem drivers, fixed networking and power issues, and changed Secure Boot certificate rollout behavior to phased device targeting.
Jan 13, 2026
Microsoft flags additional January vulnerabilities as higher exploitation risk
Alongside the Patch Tuesday release, Microsoft identified eight additional vulnerabilities as more likely to be exploited. These included issues across Windows components such as Installer, Error Reporting, CLFS, NTFS, RRAS, WinSock ancillary driver, and DWM.
Jan 13, 2026
Microsoft patches actively exploited DWM zero-day CVE-2026-20805
The January 2026 updates fixed CVE-2026-20805, an information disclosure flaw in Desktop Window Manager that Microsoft said was being exploited in the wild. The bug can leak memory address information, potentially helping attackers bypass mitigations and chain follow-on attacks.
Jan 13, 2026
Microsoft releases January 2026 Patch Tuesday security updates
On January 13, 2026, Microsoft released its January Patch Tuesday updates, addressing 112 Microsoft vulnerabilities across Windows, Office, SharePoint, RRAS, and other products; some reports count 114 when including non-Microsoft or Chromium-related CVEs. The release included eight critical flaws and a large number of elevation-of-privilege and remote code execution issues.
Jun 1, 2025
Microsoft warns 2011 Secure Boot certificates will expire in 2026
Microsoft had warned since June 2025 that multiple Secure Boot certificates issued in 2011 would expire in 2026. The company said systems that do not receive updated certificates could face Secure Boot failures or weakened protections.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like register security, cyberscoop, thecyberexpress com vulnerabilities and bleeping computer
Related Stories
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
1 months ago
Microsoft March Patch Tuesday Ships 83 Fixes and Windows 11 Cumulative Updates
Microsoft’s March Patch Tuesday security release shipped fixes for **83 vulnerabilities** across its enterprise software and services, and was notable for having **no actively exploited zero-days** for the first time in six months. Microsoft flagged **six** vulnerabilities as “more likely to be exploited,” and noted two issues—`CVE-2026-21262` and `CVE-2026-26127`—were **publicly known** at release. Researchers highlighted an Excel information-disclosure issue, `CVE-2026-26144`, describing a scenario where an attacker could potentially induce a *Copilot Agent* to exfiltrate data in a **zero-click** style workflow, and also pointed to Office flaws `CVE-2026-26110` and `CVE-2026-26113` (CVSS 8.4) that could enable **arbitrary code execution** via the Office preview pane. Microsoft also released **mandatory Windows 11 cumulative updates** `KB5079473` (25H2/24H2) and `KB5078883` (23H2) that incorporate the March 2026 Patch Tuesday security fixes, along with additional non-security changes. The updates advance build numbers to **26200.8037/26100.8037** (25H2/24H2) and **22631.6783** (23H2), expand “high-confidence device targeting” to increase coverage for automatic delivery of new **Secure Boot certificates**, and include reliability improvements such as better File Explorer search across drives and changes to **Windows Defender Application Control (WDAC)** behavior for COM objects (policy listing support).
1 months ago
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
1 months ago