Skip to main content
Customer Support Customer Support

Microsoft security update summary's for January 2026

  • January 7, 2026
  • 6 replies
  • 107 views
TripleHelix
Moderator
Forum|alt.badge.img+63

CVEs have been published or revised in the Security Update Guide

January 7, 2026

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2025-62224

  • Title: Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: January 7, 2026
  • Last updated: January 7, 2026
  • Aggregate CVE severity rating: Low

Customer action required: Yes

Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.

    6 replies

    TripleHelix
    Moderator
    Forum|alt.badge.img+63
    • TripleHelix
    • Author
    • Moderator
    • January 9, 2026

    CVEs have been published or revised in the Security Update Guide

    January 9, 2026

    These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

    CVE-2026-0628

    • Title: Chromium: CVE-2026-0628 Insufficient policy enforcement in WebView tag
    • Version: 1.0
    • Reason for revision: Information published.
    • Originally released: January 9, 2026
    • Last updated: January 9, 2026
    • Aggregate CVE severity rating:

    Customer action required: Yes

    Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
      TripleHelix
      Moderator
      Forum|alt.badge.img+63
      • TripleHelix
      • Author
      • Moderator
      • January 13, 2026

      Happy Patch Tuesday Everyone!

       

      January 2026 Security Updates

      This release consists of the following 112 Microsoft CVEs:

      Tag       CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?
      Windows Deployment Services CVE-2026-0386
      SQL Server CVE-2026-20803
      Windows Hello CVE-2026-20804 7.7
      Desktop Window Manager CVE-2026-20805
      Printer Association Object CVE-2026-20808
      Windows Kernel Memory CVE-2026-20809
      Windows Ancillary Function Driver for WinSock CVE-2026-20810
      Windows Win32K - ICOMP CVE-2026-20811
      Windows LDAP - Lightweight Directory Access Protocol CVE-2026-20812
      Graphics Kernel CVE-2026-20814
      Capability Access Management Service (camsvc) CVE-2026-20815
      Windows Installer CVE-2026-20816
      Windows Error Reporting CVE-2026-20817
      Windows Kernel CVE-2026-20818
      Windows Virtualization-Based Security (VBS) Enclave CVE-2026-20819
      Windows Common Log File System Driver CVE-2026-20820
      Windows Remote Procedure Call CVE-2026-20821
      Microsoft Graphics Component CVE-2026-20822
      Windows File Explorer CVE-2026-20823
      Windows Remote Assistance CVE-2026-20824
      Windows Hyper-V CVE-2026-20825
      Tablet Windows User Interface (TWINUI) Subsystem CVE-2026-20826
      Tablet Windows User Interface (TWINUI) Subsystem CVE-2026-20827
      Windows Internet Connection Sharing (ICS) CVE-2026-20828
      Windows TPM CVE-2026-20829
      Capability Access Management Service (camsvc) CVE-2026-20830
      Windows Ancillary Function Driver for WinSock CVE-2026-20831
      Windows Remote Procedure Call Interface Definition Language (IDL) CVE-2026-20832
      Windows Kerberos CVE-2026-20833
      Windows Shell CVE-2026-20834
      Capability Access Management Service (camsvc) CVE-2026-20835
      Graphics Kernel CVE-2026-20836
      Windows Media CVE-2026-20837
      Windows Kernel CVE-2026-20838 5.5
      Windows Client-Side Caching (CSC) Service CVE-2026-20839
      Windows NTFS CVE-2026-20840
      Windows DWM CVE-2026-20842
      Windows Routing and Remote Access Service (RRAS) CVE-2026-20843
      Windows Clipboard Server CVE-2026-20844
      Windows Shell CVE-2026-20847
      Windows SMB Server CVE-2026-20848
      Windows Kerberos CVE-2026-20849
      Capability Access Management Service (camsvc) CVE-2026-20851
      Windows Hello CVE-2026-20852
      Windows WalletService CVE-2026-20853
      Windows Local Security Authority Subsystem Service (LSASS) CVE-2026-20854
      Windows Server Update Service CVE-2026-20856
      Windows Cloud Files Mini Filter Driver CVE-2026-20857
      Windows Management Services CVE-2026-20858
      Windows Kernel-Mode Drivers CVE-2026-20859
      Windows Ancillary Function Driver for WinSock CVE-2026-20860
      Windows Management Services CVE-2026-20861
      Windows Management Services CVE-2026-20862
      Windows Win32K - ICOMP CVE-2026-20863
      Connected Devices Platform Service (Cdpsvc) CVE-2026-20864
      Windows Management Services CVE-2026-20865
      Windows Management Services CVE-2026-20866
      Windows Management Services CVE-2026-20867
      Windows Routing and Remote Access Service (RRAS) CVE-2026-20868
      Windows Local Session Manager (LSM) CVE-2026-20869
      Windows Win32K - ICOMP CVE-2026-20870
      Desktop Window Manager CVE-2026-20871
      Windows NTLM CVE-2026-20872


      Windows Management Services CVE-2026-20873
      Windows Management Services CVE-2026-20874
      Windows Local Security Authority Subsystem Service (LSASS) CVE-2026-20875
      Windows Virtualization-Based Security (VBS) Enclave CVE-2026-20876
      Windows Management Services CVE-2026-20877
      Windows Management Services CVE-2026-20918
      Windows SMB Server CVE-2026-20919
      Windows Win32K - ICOMP CVE-2026-20920
      Windows SMB Server CVE-2026-20921
      Windows NTFS CVE-2026-20922
      Windows Management Services CVE-2026-20923
      Windows Management Services CVE-2026-20924
      Windows NTLM CVE-2026-20925
      Windows SMB Server CVE-2026-20926
      Windows SMB Server CVE-2026-20927
      Windows HTTP.sys CVE-2026-20929
      Windows Telephony Service CVE-2026-20931
      Windows File Explorer CVE-2026-20932
      Windows SMB Server CVE-2026-20934
      Windows Virtualization-Based Security (VBS) Enclave CVE-2026-20935
      Windows NDIS CVE-2026-20936
      Windows File Explorer CVE-2026-20937
      Windows Virtualization-Based Security (VBS) Enclave CVE-2026-20938
      Windows File Explorer CVE-2026-20939
      Windows Cloud Files Mini Filter Driver CVE-2026-20940
      Host Process for Windows Tasks CVE-2026-20941
      Microsoft Office CVE-2026-20943
      Microsoft Office Word CVE-2026-20944
      Microsoft Office Excel CVE-2026-20946
      Microsoft Office SharePoint CVE-2026-20947
      Microsoft Office Word CVE-2026-20948
      Microsoft Office Excel CVE-2026-20949
      Microsoft Office Excel CVE-2026-20950
      Microsoft Office SharePoint CVE-2026-20951
      Microsoft Office CVE-2026-20952
      Microsoft Office CVE-2026-20953
      Microsoft Office Excel CVE-2026-20955
      Microsoft Office Excel CVE-2026-20956
      Microsoft Office Excel CVE-2026-20957
      Microsoft Office SharePoint CVE-2026-20958
      Microsoft Office SharePoint CVE-2026-20959
      Dynamic Root of Trust for Measurement (DRTM) CVE-2026-20962
      Microsoft Office SharePoint CVE-2026-20963
      Windows Admin Center CVE-2026-20965
      Inbox COM Objects CVE-2026-21219
      Capability Access Management Service (camsvc) CVE-2026-21221
      Azure Connected Machine Agent CVE-2026-21224
      Azure Core shared client library for Python CVE-2026-21226
      Windows Secure Boot CVE-2026-21265

      We are republishing 3 non-Microsoft CVEs:
      CNA Tag CVE FAQs? Workarounds? Mitigations?
      MITRE Corporation Agere Windows Modem Driver CVE-2023-31096
      MITRE Corporation Windows Motorola Soft Modem Driver CVE-2024-55414
      Chrome Microsoft Edge (Chromium-based) CVE-2026-0628

      Security Update Guide Blog Posts
      Date Blog Post
      October 31, 2025 You asked, we delivered: Introducing new features for an improved security experience
      October 28, 2025 Understanding CVE-2025-55315: What CISOs, security engineers, and sysadmins should know
      October 22, 2025 Toward greater transparency: Introducing machine-readable Vulnerability Exploitability Xchange (VEX) for Azure Linux and beyond
      November 12, 2024 Toward greater transparency: Publishing machine-readable CSAF files
      June 27, 2024 Toward greater transparency: Unveiling Cloud Service CVEs
      April 9, 2024 Toward greater transparency: Security Update Guide now shares CWEs for CVEs
      January 6, 2023 Publishing CBL-Mariner CVEs on the Security Update Guide CVRF API
      January 11, 2022 Coming Soon: New Security Update Guide Notification System
      February 9, 2021 Continuing to Listen: Good News about the Security Update Guide API
      January 13, 2021 Security Update Guide Supports CVEs Assigned by Industry Partners
      December 8, 2020 Security Update Guide: Let’s keep the conversation going
      November 9, 2020 Vulnerability Descriptions in the New Version of the Security Update Guide

      Relevant Resources

      • The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.
      • Windows 10 and Windows 11 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10 and Windows 11, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows Lifecycle Facts Sheet.
      • Microsoft is improving Windows Release Notes. For more information, please see What's next for Windows release notes.
      • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
      • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
      • Customers running Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See 4522133 for more information.

      Known Issues
      You can see these in more detail from the Deployments tab by selecting Known Issues column in the Edit Columns panel.

      For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

      KB Article Applies To
      5073379 Windows Server 2025
      5073450 Windows Server 23H2
      5073457 Windows Server 2022
      5074109 Windows 11, version 24H2, Windows 11, version 25H2
      Released: Jan 13, 2026

      January 2026 Security Updates - Release Notes - Security Update Guide - Microsoft

      Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
        TripleHelix
        Moderator
        Forum|alt.badge.img+63
        • TripleHelix
        • Author
        • Moderator
        • January 13, 2026

        January 2026 Microsoft Patch Tuesday Summary

        Published: 2026-01-13. Last Updated: 2026-01-13 19:05:41 UTC

         

        https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624

        Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
          TripleHelix
          Moderator
          Forum|alt.badge.img+63
          • TripleHelix
          • Author
          • Moderator
          • January 16, 2026

          CVEs have been published or revised in the Security Update Guide

          January 16, 2026

          These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

          CVE-2026-0899

          • Title: Chromium: CVE-2026-0899 Out of bounds memory access in V8
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0900

          • Title: Chromium: CVE-2026-0900 Inappropriate implementation in V8
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0901

          • Title: Chromium: CVE-2026-0901 Inappropriate implementation in Blink
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0902

          • Title: Chromium: CVE-2026-0902 Inappropriate implementation in V8
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0903

          • Title: Chromium: CVE-2026-0903 Insufficient validation of untrusted input in Downloads
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0904

          • Title: Chromium: CVE-2026-0904 Incorrect security UI in Digital Credentials
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0905

          • Title: Chromium: CVE-2026-0905 Insufficient policy enforcement in Network
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0906

          • Title: Chromium: CVE-2026-0906 Incorrect security UI
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0907

          • Title: Chromium: CVE-2026-0907 Incorrect security UI in Split View
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-0908

          • Title: Chromium: CVE-2026-0908 Use after free in ANGLE
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating:
          • Customer action required: Yes

          CVE-2026-20960

          • Title: Microsoft Power Apps Remote Code Execution Vulnerability
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating: Important
          • Customer action required: Yes

          CVE-2026-21223

          • Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
          • Version: 1.0
          • Reason for revision: Information published.
          • Originally released: January 16, 2026
          • Last updated: January 16, 2026
          • Aggregate CVE severity rating: Important

          Customer action required: Yes

          Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
            TripleHelix
            Moderator
            Forum|alt.badge.img+63
            • TripleHelix
            • Author
            • Moderator
            • January 21, 2026

            CVEs have been published or revised in the Security Update Guide

            January 20, 2026

            These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

            CVE-2026-20943

            • Title: Microsoft Office Click-To-Run Remote Code Execution Vulnerability
            • Version: 1.1
            • Reason for revision: Corrected CVE title. This is an informational change only.
            • Originally released: January 13, 2026
            • Last updated: January 20, 2026
            • Aggregate CVE severity rating: Important
            • Customer action required: Yes

            CVE-2026-20943

            • Title: Microsoft Office Click-To-Run Remote Code Execution Vulnerability
            • Version: 1.2
            • Reason for revision: Updated FAQ information. This is an informational change only.
            • Originally released: January 13, 2026
            • Last updated: January 20, 2026
            • Aggregate CVE severity rating: Important

            Customer action required: Yes

            Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
              TripleHelix
              Moderator
              Forum|alt.badge.img+63
              • TripleHelix
              • Author
              • Moderator
              • January 23, 2026

              CVEs have been published or revised in the Security Update Guide

              January 22, 2026

              These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

              CVE-2026-21227

              • Title: Azure Logic Apps Elevation of Privilege Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-21264

              • Title: Microsoft Account Spoofing Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-21520

              • Title: Copilot Studio Information Disclosure Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-21521

              • Title: Word Copilot Information Disclosure Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-21524

              • Title: Azure Data Explorer Information Disclosure Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-24304

              • Title: Azure Resource Manager Elevation of Privilege Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-24305

              • Title: Azure Entra ID Elevation of Privilege Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-24306

              • Title: Azure Front Door Elevation of Privilege Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical
              • Customer action required: No

              CVE-2026-24307

              • Title: M365 Copilot Information Disclosure Vulnerability
              • Version: 1.0
              • Reason for revision: Information published.
              • Originally released: January 22, 2026
              • Last updated: January 22, 2026
              • Aggregate CVE severity rating: Critical

              Customer action required: No

              Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 25H2 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
                Terms & ConditionsAccessibility statement