Executive Summary

The January 2026 Patch Tuesday release from Microsoft and other major vendors marks a critical juncture in the ongoing battle against sophisticated cyber threats. This month’s coordinated disclosure and patch cycle addresses 113 vulnerabilities across the Windows ecosystem, Microsoft Office, Mozilla Firefox, Google Chrome, and a range of legacy and modern drivers. Of particular concern is CVE-2026-20805, a zero-day vulnerability in the Desktop Window Manager (DWM), which has been confirmed as actively exploited in the wild. Several critical remote code execution (RCE) flaws in Microsoft Office (notably CVE-2026-20952 and CVE-2026-20953) and a Secure Boot bypass (CVE-2026-21265) further elevate the risk profile for organizations relying on these platforms. This advisory provides a comprehensive technical breakdown, exploitation context, APT group activity, affected product versions, and actionable mitigation guidance. Executives and technical teams alike should prioritize immediate patching and review their exposure to legacy drivers and boot components.

Technical Information

The January 2026 Patch Tuesday encompasses a broad spectrum of vulnerabilities, ranging from privilege escalation and information disclosure to remote code execution and security feature bypasses. The most significant technical details are as follows:

CVE-2026-20805 targets the Desktop Window Manager (DWM), a core component responsible for rendering the Windows graphical user interface. This vulnerability enables information disclosure by undermining Address Space Layout Randomization (ASLR), a critical memory protection mechanism. By leaking memory layout information, attackers can reliably chain this flaw with other vulnerabilities—such as kernel or user-mode RCEs—to achieve code execution or privilege escalation. The exploit leverages crafted window objects and DWM API calls to extract sensitive memory addresses, bypassing ASLR and facilitating subsequent exploitation. Microsoft has not disclosed the full exploit chain, but the technical community suspects that this vulnerability is being used as a precursor in multi-stage attacks.

CVE-2026-20952 and CVE-2026-20953 are critical RCE vulnerabilities in Microsoft Office. These flaws can be triggered simply by previewing a maliciously crafted document in the Outlook Preview Pane, requiring no user interaction beyond viewing the email. The vulnerabilities stem from improper handling of embedded objects and malformed file structures, allowing arbitrary code execution in the context of the logged-in user. Attackers can leverage these flaws for initial access, lateral movement, and data exfiltration, especially in environments where Office is widely deployed.

CVE-2023-31096 affects legacy Agere modem drivers (agrsm64.sys, agrsm.sys) present on some Windows systems. This elevation of privilege vulnerability allows local attackers to execute code with SYSTEM privileges by exploiting insecure driver operations. Public exploit code is available, increasing the risk of opportunistic attacks, particularly in organizations with outdated hardware or insufficient driver management.

CVE-2026-21265 is a security feature bypass in Windows Secure Boot. This vulnerability allows attackers to circumvent Secure Boot protections by exploiting expired or improperly validated boot certificates. The risk is compounded by the upcoming expiration of certain Secure Boot certificates in June and October 2026, which could leave systems exposed to bootkits and persistent malware such as BlackLotus. The technical vector involves manipulating bootloader components and leveraging legacy certificate chains to load unsigned or malicious code during the boot process.

Browser vulnerabilities also feature prominently this month. Mozilla Firefox patched 34 vulnerabilities, including CVE-2026-0891 and CVE-2026-0892, which are suspected to be exploited in the wild. These flaws affect memory management and sandboxing, potentially allowing attackers to escape browser isolation and execute code on the host system. Google Chrome addressed a high-severity WebView vulnerability (CVE-2026-0628) that could be exploited via malicious web content.

The technical landscape is further complicated by the presence of legacy drivers, outdated boot components, and the increasing sophistication of exploit chains that combine information disclosure, privilege escalation, and RCE vectors. Organizations must adopt a holistic approach to patch management, driver auditing, and boot process integrity to mitigate these multifaceted threats.

Exploitation in the Wild

Active exploitation has been confirmed for CVE-2026-20805 in the Desktop Window Manager. Threat actors are leveraging this vulnerability to bypass ASLR, enabling more reliable exploitation of chained vulnerabilities for privilege escalation or remote code execution. Security telemetry indicates that exploitation attempts are targeting both enterprise and consumer Windows environments, with a focus on systems lacking recent security updates.

Mozilla Firefox vulnerabilities CVE-2026-0891 and CVE-2026-0892 are suspected to be exploited in the wild, although detailed exploitation data remains undisclosed. These vulnerabilities are believed to be used in targeted attacks against high-value individuals and organizations, exploiting weaknesses in browser memory management.

For CVE-2023-31096, while no confirmed in-the-wild exploitation has been reported as of January 2026, the availability of public exploit code significantly raises the risk of opportunistic attacks, especially in environments with legacy hardware.

Microsoft Office RCE vulnerabilities (CVE-2026-20952 and CVE-2026-20953) have not yet been observed in active exploitation, but the attack surface—triggered by simply previewing a malicious document—makes them highly attractive for phishing campaigns and initial access operations.

APT Groups using this vulnerability

No direct attribution has been made for the exploitation of CVE-2026-20805 or the Office RCEs as of this report. However, the tactics, techniques, and procedures (TTPs) observed align closely with those historically employed by APT28 (Fancy Bear), APT29 (Cozy Bear), APT41, and TA505. These groups are known for leveraging Windows information disclosure vulnerabilities in conjunction with RCEs to establish persistent access and escalate privileges within target environments.

The Secure Boot bypass vector (CVE-2026-21265) is reminiscent of previous campaigns involving the BlackLotus bootkit, which exploited similar flaws to achieve pre-OS persistence and evade endpoint detection. While no new APT campaigns have been publicly linked to this specific vulnerability, the risk profile suggests that well-resourced threat actors are likely to incorporate Secure Boot bypasses into their toolkits as certificate expirations approach.

Affected Product Versions

The vulnerabilities disclosed in January 2026 affect a wide array of products and versions. All supported and extended-support versions of Windows 10, Windows 11, and Windows Server (2016, 2019, 2022, including all editions and Core installations) are impacted by CVE-2026-20805 and CVE-2026-21265. Microsoft Office vulnerabilities affect all supported versions, including Office 2016, 2019, 2021, and Office 365 (desktop and web). Legacy Agere modem drivers (agrsm64.sys, agrsm.sys) present on any Windows system are vulnerable to CVE-2023-31096.

Mozilla Firefox vulnerabilities affect versions 121.0, ESR 115.6, and all other supported releases as per Mozilla’s security advisories. Google Chrome vulnerability CVE-2026-0628 impacts version 121.0.6167.85 and all supported versions as detailed in Chrome’s release notes.

Organizations should consult the official advisories and their internal asset inventories to identify all affected endpoints, servers, and user devices.

Workaround and Mitigation

Immediate patching is the most effective mitigation for all vulnerabilities disclosed in this cycle. For CVE-2026-20805, there are no viable workarounds due to the nature of the ASLR bypass; organizations must deploy the official Microsoft update without delay.

For Microsoft Office RCEs (CVE-2026-20952 and CVE-2026-20953), in addition to patching, disabling the Preview Pane in Outlook can serve as a temporary risk reduction measure. User awareness training should reinforce the dangers of opening unsolicited attachments or previewing suspicious emails.

To mitigate CVE-2023-31096, organizations should audit their Windows systems for the presence of legacy Agere modem drivers (agrsm64.sys, agrsm.sys) and remove them where possible. Applying the latest Windows updates will address the underlying vulnerability.

For CVE-2026-21265 (Secure Boot bypass), organizations must update Secure Boot certificates to the latest 2023 versions and coordinate with IT teams to ensure BIOS and bootloader components are up to date. This may require collaboration with hardware vendors and careful planning to avoid operational disruptions.

Browser vulnerabilities in Mozilla Firefox and Google Chrome should be addressed by deploying the latest browser updates across all endpoints. Where possible, enforce automatic updates and restrict the use of unsupported browser versions.

Continuous monitoring for indicators of compromise (IOCs), such as unusual DWM process activity, presence of legacy drivers, and suspicious Office document activity, is recommended. Organizations should also review their endpoint detection and response (EDR) configurations to ensure visibility into exploit attempts and post-exploitation behaviors.

References

KrebsOnSecurity Patch Tuesday Jan 2026: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/ Rapid7 Patch Tuesday Jan 2026: https://www.rapid7.com/blog/post/em-patch-tuesday-january-2026/ NVD CVE-2026-20805: https://nvd.nist.gov/vuln/detail/CVE-2026-20805 NVD CVE-2026-20952: https://nvd.nist.gov/vuln/detail/CVE-2026-20952 NVD CVE-2026-20953: https://nvd.nist.gov/vuln/detail/CVE-2026-20953 NVD CVE-2026-21265: https://nvd.nist.gov/vuln/detail/CVE-2026-21265 MITRE CVE-2023-31096: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31096 Mozilla Security Advisories: https://www.mozilla.org/en-US/security/advisories/ Chrome Release Notes: https://chromereleases.googleblog.com/ CrowdStrike Patch Tuesday Analysis: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-january-2026/ Petri Patch Tuesday Jan 2026: https://petri.com/microsoft-january-2026-patch-tuesday-updates/ Arctic Wolf Patch Tuesday Jan 2026: https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-january-2026/ Qualys Patch Tuesday Jan 2026: https://blog.qualys.com/vulnerabilities-threat-research/2026/01/13/microsoft-patch-tuesday-january-2026-security-update-review

Rescana is here for you

At Rescana, we understand that the evolving threat landscape demands more than just timely patching—it requires continuous, proactive risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to identify, assess, and mitigate cyber risks across their entire digital supply chain. By leveraging advanced analytics and real-time threat intelligence, we help you stay ahead of emerging vulnerabilities and compliance requirements. If you have any questions about this advisory or need assistance with your cybersecurity strategy, our experts are ready to help at ops@rescana.com.