Microsoft’s January Security Update: High-Risk Vulnerability Notices Across Multiple Products

On January 14, 2026, NSFOCUS CERT reported that Microsoft issued its January Security Update, addressing 112 security vulnerabilities across widely used products, including Windows, Microsoft Office, Microsoft SQL Server, and Azure. The update comprises 8 critical and 104 important vulnerabilities, among which the Desktop Window Manager Information Disclosure Vulnerability (CVE-2026-20805) has been found to be actively exploited in the wild. Users are urged to install the patch promptly for protection. A detailed list of vulnerabilities is available in the update’s appendix.

Key Vulnerabilities

1. Desktop Window Manager Information Disclosure Vulnerability (CVE-2026-20805):

   • An information disclosure flaw in DWM allows authenticated attackers to access sensitive system information via crafted requests. CVSS score: 5.5.
   • Official announcement

2. Microsoft Office Remote Code Execution Vulnerabilities (CVE-2026-20952/CVE-2026-20953):

   • A use-after-free issue in Office could allow unauthenticated attackers to execute code by tricking users into opening malicious documents. CVSS score: 8.4.
   • Official announcement for CVE-20952
   • Official announcement for CVE-20953

3. Microsoft Excel Remote Code Execution Vulnerabilities (CVE-2026-20955/CVE-2026-20957):

   • Exploitable issues that permit arbitrary code execution on the victim’s host via malicious Excel files. CVSS score: 7.8.
   • Official announcement for CVE-20955
   • Official announcement for CVE-20957

4. Microsoft Word Remote Code Execution Vulnerability (CVE-2026-20944):

   • An out-of-bounds read vulnerability in Word lets unauthenticated attackers execute arbitrary code. CVSS score: 8.4.
   • Official announcement

5. Windows LSASS Remote Code Execution Vulnerability (CVE-2026-20854):

   • An issue in LSASS allows authenticated attackers to execute arbitrary code by manipulating directory attributes. CVSS score: 7.5.
   • Official announcement

6. Windows NTFS Remote Code Execution Vulnerability (CVE-2026-20840):

   • This vulnerability could allow authenticated attackers to execute arbitrary code locally due to a heap-based buffer overflow. CVSS score: 7.8.
   • Official announcement

7. Windows Graphics Component Privilege Escalation Vulnerability (CVE-2026-20822):

   • Lets authenticated local attackers elevate privileges to SYSTEM via reuse of released objects. CVSS score: 7.8.
   • Official announcement

8. Windows VBS Enclave Privilege Escalation Vulnerability (CVE-2026-20876):

   • Authenticated local attackers can exploit a buffer overflow issue in VBS Enclaves to elevate privileges. CVSS score: 6.7.
   • Official announcement

Impact Scope

The update affects various product versions. Key CVEs include:

• CVE-2026-20805: Affects multiple versions of Windows 10 and Windows Server.
• CVE-2026-20952, CVE-2026-20953: Affects various editions of Microsoft Office.
• CVE-2026-20955, CVE-2026-20957: Also affecting various editions of Microsoft Office.

Mitigation

Microsoft has officially released security patches for affected product versions. Users are strongly advised to install these patches immediately. For detailed patch notes and installations, refer to the official download link: Microsoft Security Update January 2026.

Users should verify the update status in Windows settings or use the Microsoft Update Catalog for manual downloads.

Additional Information

This advisory serves to inform about potential risks. NSFOCUS retains the right to modify or interpret this advisory without subsequent liability for any consequences related to its implementation.

For a comprehensive view of the vulnerabilities and Microsoft’s response, maintain updated security measures by regularly visiting the official Microsoft security update guide.

Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.

For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.