Jan 2026 Patch Tuesday comment from Tenable

Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096. Elevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%. Please […]

Exposure Management | Threat Intelligence

Posted: Friday, Jan 16

KBI.Media
$
Jan 2026 Patch Tuesday comment from Tenable

Jan 2026 Patch Tuesday comment from Tenable

Microsoft patched 113 CVEs in its January 2026 Patch Tuesday release, with eight rated critical and 105 rated as important. Our counts omitted one CVE that was assigned by MITRE, CVE-2023-31096. Elevation of privilege (EoP) vulnerabilities accounted for 49.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 19.5%. Please find below a comment from Satnam Narang, senior staff research engineer at Tenable and a full analysis in this blog.

“New reality: 1000+ CVEs a year is the baseline. For the second year in a row, the January release has surged to over the 100 CVEs as part of the first Patch Tuesday of the year. This month, 113 CVEs were patched, including eight rated critical.

“CVE-2026-20805 stands out this month as a zero day information disclosure bug in the Desktop Window Manager (DWM), a key part of how windows appear on a user’s screen. Exploitation requires the attacker to have local access to the targeted system, which would disclose sensitive information. While DWM is a ‘frequent flyer’ on Patch Tuesday with 20 CVEs patched in this library since 2022, this is the first time we’ve seen an information disclosure bug in this component exploited in the wild. Attackers have historically used it to climb the ladder of privileges (CVE-2023-36033, CVE-2024-30051).

“Microsoft also noted that three Windows Secure Boot certificates are set to expire in June 2026 and October 2026. These certificates are used to sign updates for components of Windows Secure Boot, an important integrity and security feature, the ‘digital guards’ to block things like rootkits and bootkits. Affected users and organisations are those with certificates that include 2011 in the title (Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, Microsoft Windows Production PCA 2011). It is important to update to the most recent certificates (2023) to receive future security updates.

“Finally, a pair of remote code execution flaws in Microsoft Office were patched this month (CVE-2026-20952, CVE-2026-20953) and are exploitable via malicious Microsoft Office document files. While both vulnerabilities were rated as less likely to be exploited, they are exploitable via Microsoft’s Preview Pane, which means that attackers can achieve code execution without a user ever opening a file. In the modern threat landscape, even a glance is a risk.”