Blog
Microsoft Patch
Tuesday Jan 2026: 114 Flaws Fixed Including Active Zero-Days
Introduction: Navigating the First Major Security Update of 2026
Contents hide 1 Introduction: Navigating the First Major
As we enter the new year, cybersecurity remains the paramount concern for enterprise environments and individual users alike. Microsoft Patch Tuesday Jan 2026 has officially landed, marking a significant and aggressive start to the year for the Redmond giant. Microsoft has released fixes for a staggering 114 security vulnerabilities, a volume that underscores the evolving complexity of the threat landscape.
This month’s release is particularly critical, addressing flaws across the entire Microsoft ecosystem, including Windows 11, Windows Server 2025, Microsoft Office, Azure, and Dynamics 365. Of the 114 bugs squashed, IT administrators must pay immediate attention to two active zero-day vulnerabilities currently being exploited in the wild, alongside nine vulnerabilities classified as ‘Critical’ due to their potential for Remote Code Execution (RCE).
For system administrators, this Patch Tuesday is not merely a routine update; it is a call to action. With the recent End of Life (EOL) for Windows 10 standard support having passed in late 2025, this update also serves as a crucial test for organizations relying on the Extended Security Update (ESU) program. This article provides an authoritative, deep-dive analysis of the January 2026 security updates, offering strategic guidance on prioritization, testing, and deployment to secure your infrastructure against imminent threats.
Executive Summary: The Jan 2026 Security Landscape
The volume and severity of patches released this month indicate a shift in attacker methodologies, with a renewed focus on privilege escalation and bypassing security features. Before diving into the technical specifics, it is essential to understand the high-level breakdown of this month’s release.
Vulnerability Classification Breakdown
- Total Vulnerabilities: 114
- Critical: 9
- Important: 103
- Moderate: 2
- Zero-Days (Actively Exploited): 2
- Publicly Disclosed (Zero-Day, Not Exploited): 1
The primary attack vectors this month involve Remote Code Execution (RCE), Elevation of Privilege (EoP), and Security Feature Bypass. The high number of EoP bugs suggests that attackers are actively looking for ways to move laterally once they have gained a foothold in a network.
Deep Dive: Active Zero-Day Vulnerabilities
The most pressing aspect of the Microsoft Patch Tuesday Jan 2026 release is the presence of two vulnerabilities actively being weaponized by threat actors. Immediate remediation of these CVEs should be the top priority for all security operations centers (SOCs).
1. CVE-2026-1004: Windows Win32k Elevation of Privilege Vulnerability
Severity: Important (Actively Exploited)
CVSS Score: 7.8
This vulnerability resides in the Win32k.sys kernel-mode driver, a frequent target for attackers. Successful exploitation allows an attacker with low-level access to execute arbitrary code with SYSTEM privileges. This is a classic local privilege escalation (LPE) route.
The Threat Context: Threat intelligence suggests this exploit is being used in chained attacks. An attacker typically gains initial entry via a phishing email or a browser compromise and then utilizes CVE-2026-1004 to gain full control over the affected system. Because it grants kernel-level access, security software running in user mode may be disabled or bypassed by the attacker.
2. CVE-2026-1289: Windows SmartScreen Security Feature Bypass
Severity: Moderate (Actively Exploited)
CVSS Score: 5.4
While the CVSS score appears lower, the risk is severe. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security warnings. In real-world scenarios, this means malicious files downloaded from the internet—which should trigger a SmartScreen warning—will execute without alerting the user.
The Threat Context: Attackers are currently using this zero-day to deliver malware payloads, including ransomware and banking trojans. By bypassing the user trust mechanism, social engineering attacks become significantly more effective.
Critical Remote Code Execution (RCE) Flaws
Beyond the active exploits, nine critical RCE vulnerabilities pose a massive risk to unpatched infrastructure. These vulnerabilities generally allow attackers to take over a system without user interaction.
CVE-2026-0032: Microsoft Exchange Server RCE
Despite the migration to cloud-based Exchange Online, many enterprises maintain hybrid or on-premise Exchange servers. CVE-2026-0032 is a severe vulnerability allowing an authenticated attacker to execute code remotely via a network call. Given the history of Exchange exploits (such as ProxyLogon), patching Exchange servers should be treated with extreme urgency (T-0).
CVE-2026-0441: Windows Kerberos RCE
This critical flaw affects the Kerberos authentication protocol. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to a domain controller. If successful, the attacker could execute code on the target server. This is a nightmare scenario for Active Directory environments, as compromising a Domain Controller effectively compromises the entire network.
Detailed Product Breakdown
The January 2026 patch cycle covers a vast array of products. Here is how the updates impact different segments of your IT environment.
Windows 11 and Windows Server 2025
Windows 11, version 24H2 and 25H2, along with the recently adopted Windows Server 2025, receive the bulk of the updates. Key fixes include:
- TCP/IP Stack: Fixes for potential Denial of Service (DoS) attacks that could cripple server availability.
- Hyper-V: Multiple patches addressing potential escape vulnerabilities where a guest VM could execute code on the host.
- BitLocker: Updates to address a security feature bypass that could allow physical access attacks to succeed even with encryption enabled.
Windows 10 (Post-EOL Landscape)
With Windows 10 reaching its general End of Support in October 2025, the Microsoft Patch Tuesday Jan 2026 updates for this OS are only available to organizations enrolled in the Extended Security Update (ESU) program. If your organization is still running Windows 10 without an ESU license, you are now officially running an insecure operating system exposed to 114 known vulnerabilities.
Strategy Check: If you are managing Windows 10 fleets, verify that your ESU keys are correctly applied in your KMS or MAK activation systems; otherwise, the Windows Update client will reject these patches.
Office 365 apps and perpetual versions (Office 2024, Office 2021) received 18 patches. The most notable is a critical RCE in Microsoft SharePoint Server. This flaw allows an attacker to upload a specially crafted file to a SharePoint site, which then triggers arbitrary code execution in the context of the worker process.
Azure and Cloud Security Updates
The hybrid cloud model dominates 2026 architecture. Microsoft has released several patches for Azure-related services running on-premise, including:
- Azure Stack HCI: Patches for vulnerabilities that could allow cross-tenant information disclosure.
- Azure Arc: Fixes for the connected machine agent that prevents privilege elevation by local users.
Cloud administrators should verify that auto-update policies for Azure agents are functioning correctly, as these often run in the background without manual intervention.
Patch Management Strategy: Prioritization and Testing
Given the sheer volume of patches in the Microsoft Patch Tuesday Jan 2026 release, a
Editor at XS One Consultants, sharing insights and strategies to help businesses grow and succeed.