Microsoft stacks up 113 CVEs for January Patch Tuesday

Microsoft on Tuesday released 113 patches affecting 11 product families. Eight of the addressed issues are considered by Microsoft to be of Critical severity, including five from the Office-365 product family. Eight have a CVSS base score of 8.0 or higher. One is known to be under active exploit in the wild, and one other is publicly disclosed. 

At patch time, eight CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the one already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. 

The release also includes advisory information on one Edge patch released last week, as well as two MITRE-issued CVEs affecting software modems from two companies whose drivers are present in Windows. (We are not including those patches in the tallies for Windows this month, but we do indicate which platforms are affected in Appendix E, along with information on which server versions are affected by each of the 88 Windows CVEs addressed this month.) There is also an update to the Servicing Stack this month.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix E provides a breakout of the patches affecting the various Windows Server platforms.

By the numbers

• Total CVEs: 113
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Critical: 8
  • Important: 105
• Impact:
  • Denial of Service: 2
  • Elevation of Privilege: 56
  • Information Disclosure: 22
  • Remote Code Execution: 22
  • Security Feature Bypass: 3
  • Spoofing: 5
  • Tampering: 3
• CVSS base score 9.0 or greater: 0
• CVSS base score 8.0 or greater: 8

Figure 1: Not only are all seven impact categories represented in the very first Patch Tuesday of 2026, Elevation of Privilege issues continue to considerably outpace Remote Control Execution – a change we saw taking place last year and one that increasingly seems to be the new normal

Products

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa. 

Figure 2: Windows accounts for over four-fifths of all January patches, though Office has a higher percentage of Critical-severity bugs this month. Of the rest, Windows Admin Center is counted here as neither Windows not Azure, but administrators of either should look into the Important-severity issue associated with that web tool 

Notable January updates

In addition to the issues discussed above, several specific items merit attention. 

CVE-2026-20944 -- Microsoft Word Remote Code Execution Vulnerability
CVE-2026-20952 – Microsoft Office Remote Code Execution Vulnerability
CVE-2026-20953 -- Microsoft Office Remote Code Execution Vulnerability

Office accounts for a disproportionate share of Critical-severity bugs this month, and the two Office issues above may be the worst of the lot. Microsoft’s own worst-case scenario for those two CVEs is troubling; an attacker could potentially gain remote code execution on the targeted user’s machine simply by sending them a link in an email – and the targeted user need not open, read, or click on the link. The Word CVE, meanwhile, has Preview Pane as a vector.

CVE-2023-31096 -- MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability
CVE-2024-55414 -- Windows Motorola Soft Modem Driver Elevation of Privilege Vulnerability
CVE-2026-0386 -- Windows Deployment Services Remote Code Execution Vulnerability
CVE-2026-21265 -- Secure Boot Certificate Expiration Security Feature Bypass Vulnerability

The new year is a good time for tidying up, and two advisories and two CVEs in this month’s set indicate that housekeeping may be afoot in Redmond. The two MITRE-issued CVEs cover third-party modem drivers. Microsoft is issuing an advisory simply to say that they’re both been removed from the cumulative update as of this month. Likewise, the functionality touched by CVE-2026-0386 is nearing its end of life; this concerns the Windows Deployment Services (WDS) hands-free deployment feature. Microsoft will be withdrawing that functionality in the near future – it's already legacy technology, superceded by the likes of Windows Autopilot, Microsoft InTune, and various cloud-based provisioning workflows that leverage Azure. At this point, administrators still using WDS are advised to be aware of their usage and lock it down as per instructions. Finally, the issue covered in CVE-2026-21265 involves certain upcoming certificate expirations affecting Secure Boot, and the firmware that protects updates to those certificates. Based on the provided information the vulnerability would be fairly hard to hit, but Microsoft’s attempting to get out ahead of this – and if they’re talking in January about a problem that won’t land until June (at the earliest), one is well-advised to pay attention and do the reading.

CVE-2026-20949 -- Microsoft Excel Security Feature Bypass Vulnerability

On March 25, 1992, Microsoft released Excel 4.0. Thirty-three years and ten months later, Microsoft is releasing a patch for a bug that allows local bypass of the security setting that disables XL4 (Excel 4.0) macros. Backward compatibility is widely understood to be a blessing and a curse for Microsoft, but some of this specific code is very likely older than many of the defenders who worked to patch it, if not the (anonymous) finder who dug it out. Wild.

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of January patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE. 

Elevation of Privilege (56 CVEs)

Information Disclosure (22 CVEs)

Remote Code Execution (22 CVEs)

Security Feature Bypass (3 CVEs)

Spoofing (5 CVEs)

Tampering (3 CVEs)

Denial of Service (2 CVEs)

Appendix B: Exploitability and CVSS

This is a list of the eight January CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, along with the single CVE already known to be under attack. The list is arranged by CVE. 

These are the January CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema. 

Appendix C: Products Affected

This is a list of January’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (91 CVEs)

Office (11 CVEs)

365 (10 CVEs)

SharePoint (7 CVEs)

Excel (3 CVEs)

Azure (2 CVEs)

Power Apps (1 CVE)

SQL (1 CVE)

Windows Admin Center (1 CVE)

Windows SDK (1 CVE)

Word (1 CVE)

Appendix D: Advisories and Other Products

There is one Edge-related advisory noted in January’s release:

There are also the usual Servicing Stack updates, ADV990001.

Apendix E: Affected Windows Server versions

This is a table of the 91 CVEs in the January release affecting Windows Server versions 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). An “x” indicates that the CVE does not apply to that version; in the case of the four client-only patches this month, we’ve italicized the whole row to emphasize that no server version is affected. We have also, for convenience, indicated information on the two Windows-related advisories (CVE-2023-31096, CVE-2024-55414), since both affect all versions of the platform. 

Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.