Patch Now: Microsoft Fixed 3 Zero-Days in The Patch Tuesday Updates

Published Date: January 15, 2026
Category: ShadowOpsIntel
Share:

Microsoft’s January 2026 Patch Tuesday addressed 114 vulnerabilities, including three zero-days, one actively exploited and two publicly disclosed. These zero-days affect core Windows components ranging from the Desktop Window Manager (DWM) and Secure Boot subsystem to legacy Agere Soft Modem drivers. If unpatched, the flaws enable privilege escalation, Secure Boot bypass, or information disclosure that may serve as the first step in privilege-chain attacks.

Severity: High

Vulnerability Details

  1. CVE-2026-20805 – Desktop Window Manager Information Disclosure
    • Type: Information Disclosure
    • Severity: Important
    • Status: Actively exploited zero-day
    • CVSS Score: 5.5
    • Description: A local privilege-level vulnerability in the Desktop Window Manager (DWM) allows an authenticated user to read sensitive memory from a remote ALPC port. This information leak reveals user-mode section addresses, potentially aiding attackers in crafting precise heap or kernel exploits that defeat ASLR or other mitigations.
    • Impact: Memory disclosure → facilitates privilege-escalation chaining.
    • Exploitability: Detected / Active exploitation.
    • Remediation: Install the January 13 2026 cumulative update (KB5073723 and related).
  1. CVE-2026-21265 – Secure Boot Certificate Expiration Security Feature Bypass
    • Type: Security Feature Bypass
    • Severity: Important
    • Status: Publicly disclosed zero-day
    • CVSS Score: 6.4
    • Description: The Windows Secure Boot process depends on a chain of Microsoft-signed UEFI certificates (KEK CA 2011, UEFI CA 2011, PCA 2011). These certificates expire between June and October 2026, and flaws in some firmware-level update mechanisms may prevent proper renewal. Systems with outdated keys can lose signature verification, allowing attackers to bypass Secure Boot & load untrusted bootloaders or malware during startup.
    • Impact: Potential compromise of boot integrity and persistence of rootkits.
    • Exploitability: Less Likely (High complexity, local access required).
    • Remediation: Apply January 2026 updates that renew Secure Boot certificates and verify the new CA chain in UEFI KEK/DB.
  2. CVE-2023-31096 – Windows Agere Soft Modem Driver Elevation of Privilege
    • Type: Elevation of Privilege
    • Severity: Important
    • Status: Publicly disclosed zero-day
    • CVSS Score: 7.8
    • Description: A stack-based buffer overflow (CWE-121) in legacy Agere Soft Modem drivers (agrsm.sys / agrsm64.sys) allows a local attacker to execute code with SYSTEM privileges. Although identified in 2023, Microsoft only removed the vulnerable drivers in January 2026, effectively disabling the affected hardware. Attackers could weaponize the flaw to escalate from user to kernel-level control.
    • Impact: Full local privilege escalation.
    • Exploitability: “More Likely.”
    • Remediation: Apply January 2026 cumulative update; uninstall or block agrsm drivers via WDAC policies.

Source:

  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-20805
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21265
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-31096

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us