By— Satnam Narang, Senior Staff Research Engineer, Tenable

“New reality: 1,000+ CVEs per year is now the baseline. For the second consecutive year, the January Patch Tuesday release has surged, with over 100 CVEs patched in the first update of 2026. This month, 113 CVEs were addressed, including eight rated as critical.

CVE-2026-20805 stands out as a zero-day information disclosure vulnerability in the Desktop Window Manager (DWM), a core component responsible for rendering windows on a user’s screen. Exploitation requires local access, potentially disclosing sensitive information. While DWM has been a “frequent flyer” on Patch Tuesday—20 CVEs have been patched in this library since 2022—this is the first time an information disclosure flaw in DWM has been observed being exploited in the wild. Historically, attackers have leveraged DWM vulnerabilities to escalate privileges (e.g., CVE-2023-36033, CVE-2024-30051).

Microsoft also highlighted that three Windows Secure Boot certificates are set to expire in June and October 2026. These certificates Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, and Microsoft Windows Production PCA 2011—sign updates for key Windows Secure Boot components, which serve as critical “digital guards” against threats like rootkits and bootkits. It is essential for affected users and organizations to update to the most recent 2023 certificates to continue receiving future security updates.

Additionally, a pair of remote code execution vulnerabilities in Microsoft Office (CVE-2026-20952, CVE-2026-20953) were patched this month. These flaws can be exploited via malicious Office document files, and importantly, through Microsoft’s Preview Pane, meaning attackers can achieve code execution without the user ever opening the file. While rated as less likely to be exploited, these vulnerabilities underscore the risks in today’s threat landscape, where even a brief glance at a file can be dangerous.”