Post-Patch Tuesday Roundup: January 2026 :: Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: January 2026

Softcat’s January 2026 Patch Tuesday summary highlights updates from major vendors including Microsoft, Adobe, Cisco, SAP, Ivanti, Trend Micro, Fortinet, and Veeam as they release patches addressing a wide range of vulnerabilities across their respective platforms.

Post patch tuesday image 1

Philip Odjidja

Vulnerability Engineer

This release includes multiple zero‑day disclosures, some of which are under active exploitation.

Microsoft addresses 114 CVEs in the first Patch Tuesday of 2026, with eight rated critical, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws. 105 rated as important. Three zero days, including one that was exploited in the wild. A complete list of all the other vulnerabilities Microsoft disclosed this month is available: Security updates

Zero Day Vulnerability:

Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited with no official fix available at the time of this publication.

CVE-2026-20805 - A security vulnerability in the Desktop Window Manager (DWM) component of Windows. It allows an attacker with local access to the system to leak sensitive information from memory, which could then help them bypass defenses or chain into more serious attacks. Microsoft says that successfully exploiting the flaw allows attackers to read memory addresses associated with the remote ALPC port.

Additionally, Microsoft addressed another Desktop Window Manager vulnerability this month. CVE-2026-20871 is an elevation-of-privilege (EoP) flaw rated Important with a CVSS v3 score of 7.8. Unlike CVE-2026-20805, this vulnerability has not been observed being exploited in the wild, though Microsoft assessed it as “Exploitation More Likely.”

CVE-2026-21265 - A security feature bypass vulnerability affecting Windows Secure Boot related to expiring Secure Boot certificates. It was assigned a CVSSv3 score of 6.4 and is rated important. It was assessed as “Exploitation Less Likely.”

Microsoft Secure Boot certificates are stored in the Unified Extensible Firmware Interface (UEFI) Key Enrollment Key (KEK) and the DB. As these certificates near expiration, updates are required to preserve the Secure Boot trust chain and ensure continued platform integrity. The following certificates are scheduled to expire in 2026:

Certificates Authority (CA)

Location

Purpose

Expiration Date

Microsoft Corporation KEK CA 2011

KEK

Signs updates to the DB and DBX

24/06/2026

Microsoft Corporation UEFI CA 2011

DB

Signs third party boot loaders, Option ROMs and more

27/06/2026

Microsoft Windows Production PCA 2011

DB

Signs the Windows Boot Manager

19/10/2026

 

CVE-2023-31096 - A local privilege escalation vulnerability in the Agere Soft Modem driver that was included with various versions of Windows. It stems from a stack buffer overflow in the driver’s kernel-mode code, which can allow an attacker with local access to escalate privileges to SYSTEM level.

In the October Patch Tuesday updates, Microsoft disclosed actively exploited vulnerabilities affecting a third-party Agere modem driver shipped with supported Windows versions and announced plans to remove the driver. As part of today’s Patch Tuesday updates, Microsoft has completed the removal of the vulnerable drivers from Windows.

 

Critical

CVE-2026-20952 and CVE-2026-20953 are remote code execution (RCE) vulnerabilities affecting Microsoft Office. Both flaws are rated Critical, assigned a CVSS v3 score of 8.4, and assessed as “Exploitation Less Likely.” An attacker could exploit these vulnerabilities through social engineering by delivering a malicious Microsoft Office document to a target, potentially resulting in arbitrary code execution.

Despite being classified as “Exploitation Less Likely,” Microsoft notes that the Preview Pane is a viable attack vector for both vulnerabilities, meaning exploitation may occur without requiring the user to open the file

CVE‑2026‑20822  -  A critical elevation-of-privilege vulnerability in the Windows Graphics Component. The flaw results from a use-after-free (UAF) bug that, if successfully exploited, could allow an attacker to gain SYSTEM privileges on affected systems. It has been assigned a CVSS v3.1 base score of 7.8. Exploitation requires the attacker to successfully trigger a race condition. Microsoft has assessed the likelihood of exploitation as “less likely” and notes that this vulnerability has not been publicly disclosed.

Important

CVE‑2026‑20946 and CVE‑2026‑20955 are high‑severity remote code execution vulnerabilities in Microsoft Excel that could allow an attacker to execute arbitrary code by tricking a user into opening a specially crafted spreadsheet. Both have a CVSS v3.1 score of 7.8, are assessed as “Exploitation Less Likely,” and have no known public exploits. Microsoft addressed both flaws in the January Patch Tuesday updates, and affected systems should be updated promptly.

CVE-2026-20840 and CVE-2026-20922  are remote code execution (RCE) vulnerabilities in the Windows New Technology File System (NTFS). Both vulnerabilities have been assigned CVSS v3 scores of 7.8 and are rated as Important. Microsoft assessed them as “Exploitation More Likely.” These flaws result from heap-based buffer overflows, which could allow an attacker to execute arbitrary code on an affected system. Notably, both advisories indicate that any authenticated attacker can exploit these vulnerabilities, regardless of privilege level.

CVE-2026-20816 – A local elevation‑of‑privilege vulnerability in Windows Installer caused by a time‑of‑check time‑of‑use (TOCTOU) race condition that could allow an authenticated attacker with low privileges to gain elevated (SYSTEM) rights on an affected system. It has been assigned a CVSS v3.1 base score of 7.8. There is no evidence of active exploitation or publicly released proof‑of‑concept code at this time.

CVE-2026-20820 - is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) Driver caused by a heap-based buffer overflow. A local, authenticated attacker with low privileges could exploit this flaw to gain SYSTEM-level access, potentially taking full control of the affected system. It has been assigned a CVSS v3.1 base score of 7.8 (High). There are no known public exploits or proof-of-concept code currently. Microsoft addressed the vulnerability in this month’s Patch Tuesday security updates.

CVE-2026-20860 - Windows WinSock driver elevation-of-privilege vulnerability caused by a type of confusion flaw. A local, authenticated attacker could gain SYSTEM-level access. It has a CVSS v3.1 score of 7.8 (High) and was patched in the 13th January 2026 Patch Tuesday updates.

 

Recent updates from other Vendors

Adobe released 11 security bulletins addressing security vulnerabilities across its products. These updates cover a total of 25 unique CVEs, including fixes for applications such as Dreamweaver, InDesign, Illustrator, InCopy, Bridge, multiple Substance 3D tools, and ColdFusion.

 

Cisco

Cisco’s January patch updates focus mainly on its Identity Services Engine (ISE) network access control solution. CVE-2026-20029 – a medium severity information disclose vulnerability. affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration. Cisco found no evidence of active exploitation, it did warn that a proof-of-concept (PoC) exploit is available online.

Additionally, Cisco also fixed several IOS XE vulnerabilities that could allow unauthenticated remote attackers to restart the Snort 3 Detection Engine, potentially causing a denial-of-service or exposing sensitive information from the Snort data stream. Cisco PSIRT confirmed that no public exploit code exists and there is no evidence of active exploitation in the wild.

 

Fortinet

Fortinet released security updates for multiple products this month, including fixes for two RCEs.

 

SAP

SAP released the 17 security updates for multiple products, including a fix for CVE-2026-0501 a 9.9/10 code injection flaw in SAP Solution Manager. There are no updates to previously released patch day security notes.

 

Veeam

In January 2026 Patch Tuesday Security Updates, Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including CVE-2025 -59470 a critical RCE vulnerability carrying a CVSS score of 9.0

 

Ivanti

Ivanti’s official January Patch Tuesday blog did not address any specific vulnerabilities; it focused on general third-party patches, e.g., Microsoft, Adobe, Mozilla, etc.

 

Trend Micro

Trend Micro has resolved a critical vulnerability in its on‑premises Apex Central platform that exposed systems to remote arbitrary code execution with full SYSTEM‑level control.

Applying the latest security updates promptly is critical for staying protected against emerging threats. Timely patching reduces exposure to known vulnerabilities and helps prevent potential exploits.