Microsoft Patch Tuesday Analysis – January 2026

Executive Summary

On Tuesday, January 13, 2026, Microsoft released its monthly security patch, addressing 112 vulnerabilities in its products.

By severity:

• Remote Code Execution - 22;
• Elevation of Privilege - 55;
• Tampering - 3;
• Information Disclosure - 22;
• Security Feature Bypass - 3;
• Spoofing - 5;
• Denial of Service - 2.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Particular attention should be paid to the following 2 vulnerabilities. Their fixes are high-priority:

• CVE-2026-20805 (CVSS 5.5; Information Disclosure) - Desktop Window Manager Information Disclosure Vulnerability (Information Disclosure). A vulnerability in the Desktop Window Manager (DWM) allows an authenticated local attacker to gain access to the contents of user mode memory. The exploitation leads to the disclosure of the ALPC (Advanced Local Procedure Call) port address.
• CVE-2026-21265 (CVSS 6.4; Security Feature Bypass) - Secure Boot Certificate Expiration Security Feature Bypass Vulnerability (Security Feature Bypass). A vulnerability in the Secure Boot protection mechanism, related to the upcoming expiration of Microsoft Key Exchange (KEK) and Device Builder (DB) certificates stored in UEFI, allows an attacker with high privileges to bypass the secure boot process. The problem is caused by the updating mechanism of these certificates, which relies on components that may not work correctly, breaking the chain of trust. Successful exploitation allows an attacker to bypass the secure boot process.

General Overview and Trends

The first Patch Tuesday of 2026 sets a high bar for the year: Microsoft released fixes for 112 vulnerabilities, which exceeds the number of fixes released in December (57) and November (63). This release sets a high tempo for information security specialists. The key trends of this month:

• Attacks on the graphics subsystem and boot process: Two critical vulnerabilities are in the spotlight. The vulnerability in the Desktop Window Manager (DWM) has already been exploited by attackers to read memory, which is often the first step in an exploit chain. In parallel, the publicly disclosed vulnerability in Secure Boot, related to the expiration of certificates, poses a threat to the fundamental trust in the OS boot process, requiring a careful UEFI update.
• Elevation of Privilege (EoP): More than half of all fixes (55 out of 112) are related to Elevation of Privilege vulnerabilities. This continues the trend seen at the end of 2025. The vulnerabilities affect all key system components: from drivers and the Common Log File System to the Windows Management Services.
• Critical RCE in corporate software: A significantative block of fixes (22 RCE) is aimed at addressing vulnerabilities in remote code execution in Microsoft SharePoint and Office. Given the popularity of SharePoint as a corporate data repository, the presence of multiple RCE makes these servers a priority target for attackers and shadow IT.
• Attention to peripherals and device drivers: A large number of fixes affect device drivers, graphics components, and services for connected devices. Low-level errors in these components are often used to bypass security mechanisms and OS defenses.

Full List of Vulnerabilities

This table contains all the vulnerabilities that were fixed this month.

Retrospective Analysis of Vulnerabilities

• CVE-2025-62454 — Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability is a heap-based buffer overflow in the cldflt.sys driver, which is responsible for working with cloud files (for example, OneDrive). The problem occurs in the memcpy function due to incorrect validation of input data when processing a special control code (FSCTL 0x903bc) related to HSM. Successful exploitation allows a local attacker to execute arbitrary code in the context of the SYSTEM and elevate privileges to the SYSTEM level. Available PoC demonstrates the ability to initiate a system crash (BSOD) through attribute manipulation. The vulnerability was fixed in December 2025.
• CVE-2025-62470 - Windows Common Log File System Driver Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability is a heap-based buffer overflow in the CLFS.sys driver, which allows a local attacker to elevate privileges to the SYSTEM level. The error occurs in the ClfsEncodeBlock function due to insufficient validation of the TotalSectorCount and ValidSectorCount fields in the CLFS_LOG_BLOCK_HEADER structure. Available PoC demonstrates the ability to initiate a system crash (BSOD) through a specially crafted IOCTL request, which confirms non-secure memory access. The vulnerability was fixed in December 2025.
• CVE-2025-64669 — Windows Admin Center Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability is a local elevation of privileges, discovered by Cymulate Research Lab. The root cause is insecure access rights to the C:\ProgramData\WindowsAdminCenter directory, which is accessible for writing by a standard user. This allows an attacker to elevate privileges to the SYSTEM level using a DLL hijacking attack during the update process (Updater DLL Hijacking) or using PowerShell scripts during the uninstallation of extensions. Detailed technical analysis of the exploitation methods is available. The vulnerability was fixed in December 2025.

Conclusion

The January 2026 patch is a significant and critical update, and IT departments should prioritize the installation of the patches for the following vulnerabilities:

• Actively exploit CVE-2026-20805 (DWM, Information Disclosure), to prevent the use of this vulnerability in combination with other exploits.
• Publicly disclose CVE-2026-21265 (Secure Boot, Security Feature Bypass), as the expiration of certificates creates a window of opportunity for attackers to bypass the Secure Boot security feature.
• Critical RCE vulnerabilities in SharePoint (CVE-2026-20947, CVE-2026-20963) and Office pose a maximum threat to the integrity of corporate data.

Additionally, attention should be drawn to the Retrospective Analysis of Vulnerabilities section. Publication of PoC exploits for vulnerabilities in the Cloud Files and Common Log File System drivers, as well as for Windows Admin Center, make them trivial for exploitation if the December patches are not installed. If the December patches have not been installed, the risk of a system compromise through these vectors becomes extremely high.