"Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild. Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022."
""Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally," Microsoft said in an advisory. "The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory.""
"These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app ( CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium's WebView tag ( CVE-2026-0628, CVSS score: 8.8)."
Microsoft released the January 2026 security update addressing 114 vulnerabilities, with eight rated Critical and 106 rated Important. The update includes 58 privilege escalation issues, 22 information disclosure flaws, 21 remote code execution bugs, and five spoofing vulnerabilities. Fortra data ranks the update as the third-largest January Patch Tuesday behind 2025 and 2022. Two additional Edge vulnerabilities were patched since December 2025, including CVE-2025-65046 and CVE-2026-0628. The actively exploited flaw is CVE-2026-20805, an information-disclosure issue in Desktop Window Manager credited to MTIC and MSRC. No exploitation details or attribution have been released.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]