Microsoft January Windows Updates Trigger Patch-Break-Patch Cycle and Emergency OOB Fixes
Microsoft’s January Windows security updates triggered an unusual patch-break-patch cycle that forced multiple out-of-band (OOB) releases after users reported significant regressions. Reporting indicates the Jan. 13 Patch Tuesday update (including KB5074109) was followed by an urgent Jan. 17 fix that introduced additional problems, leading to a second emergency OOB update on Jan. 24; impacts cited include Remote Desktop sign-in/authentication failures and broader stability issues such as Outlook freezing and file-system/compatibility problems affecting OneDrive and Dropbox integrations. Microsoft advised customers to move to the latest available update despite the disruption.
Separate analysis highlighted that Windows’ long-standing commitment to backwards compatibility continues to create persistent exposure and operational risk: many exploited-in-the-wild Microsoft zero-days in 2025 were elevation-of-privilege issues rooted in legacy components, reinforcing that “traditional” exploit chains and accumulated Windows tech debt remain a primary driver of both security and patching complexity. Taken together, the coverage underscores that Windows defenders face a dual challenge: rapid deployment of security fixes to reduce exploitation risk, while managing the real possibility that emergency remediation can itself introduce enterprise-impacting outages.
Timeline
Jan 24, 2026
Microsoft releases second emergency update KB5078127
On 2026-01-24, Microsoft issued a second out-of-band update, KB5078127, to remediate the bugs introduced by the earlier emergency patch. Microsoft advised affected users to update to the latest version.
Jan 17, 2026
First emergency fix introduces OneDrive, Dropbox, and Outlook bugs
Following deployment of KB5077744, new issues were reported including file access problems involving OneDrive and Dropbox, as well as Outlook freezing and mail anomalies. The failed remediation forced Microsoft into a second emergency response.
Jan 17, 2026
Microsoft issues first emergency out-of-band fix KB5077744
On 2026-01-17, Microsoft released an out-of-band update, KB5077744, primarily targeting Windows 11 24H2 and 25H2 systems to address problems introduced by the January Patch Tuesday release. This marked the first emergency remediation in the month's patch cycle.
Jan 13, 2026
January Patch Tuesday update causes Remote Desktop and stability issues
After KB5074109 was deployed, users experienced Remote Desktop sign-in failures along with shutdown and hibernation problems. These regressions triggered the need for an out-of-band fix.
Jan 13, 2026
Microsoft releases January 2026 Patch Tuesday update KB5074109
On 2026-01-13, Microsoft issued its regular Patch Tuesday Windows update, KB5074109, to address multiple issues and vulnerabilities. The update later proved problematic for some users and systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for **Windows 10** (including ESU/LTSC) and **Windows 11**, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s *KB5073724* (ESU) updates systems to build `19045.6809` (and LTSC 2021 to `19044.6809`) and includes security/bug fixes plus a phased update to handle **expiring Secure Boot certificates**; it also removes legacy **Agere modem drivers** (`agrsm64.sys`, `agrsm.sys`, `smserl64.sys`, `smserial.sys`), which can break dependent modem hardware. Windows 11 cumulative updates *KB5074109* (25H2/24H2) and *KB5073455* (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments. Third-party analysis of the same Patch Tuesday release reported **112 vulnerabilities** (with **8 marked critical**) and at least one vulnerability observed exploited in the wild: **CVE-2026-20805**. The critical issues highlighted include multiple **remote code execution** vulnerabilities across Windows components and Office applications (including **LSASS**, Word, Excel, and Office), plus **elevation of privilege** flaws such as **CVE-2026-20822** (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and **CVE-2026-20854** (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
1 months ago
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
1 months ago
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago