January 2026 Patch Tuesday delivers security updates for 112 Microsoft CVEs, along with 3 republished non-Microsoft CVEs. This month’s release addresses a broad set of issues spanning Windows core components, remote access services, filesystems, and Office productivity suites.
Among this month’s fixes is a vulnerability confirmed to be actively exploited in the wild: a desktop windowing system bug in the Desktop Window Manager (CVE-2026-20805). Additionally, multiple vulnerabilities are rated “Exploitation More Likely,” signaling elevated risk and a need for rapid remediation.
Although no vulnerabilities this month reach the rare CVSS 9.0+ “Critical” tag, several high-severity and exploitation-ready flaws illustrate the episodic risk that can accumulate when core OS components and drivers intersect with common attacker techniques such as privilege escalation and local code execution.
Microsoft Patch Overview
This month’s update cycle is significant in size, with 112 Microsoft CVEs spanning a wide array of Windows platform components and services. Key areas of focus include:
Windows core and kernel components, including the kernel itself, ancillary drivers, WinSock, Win32K, NTFS, CLFS, and DWM.
Filesystem and storage, including NTFS and CLFS drivers, which are foundational to system integrity and commonly targeted by exploit chains.
Remote access and connectivity services, including Routing and Remote Access Service (RRAS).
Microsoft Office and productivity components, especially SharePoint and Excel/Word document handling.
Server and tooling components, including SQL Server, WSUS, and Windows Deployment Services.
The diversity of affected components, from core OS drivers to user-facing applications, underscores the need for a structured patching strategy that accounts for both risk severity and real-world exploitability.
Zero-Day and Exploitation Likely Vulnerabilities
Actively Exploited Zero-Day
CVE-2026-20805 (Desktop Window Manager): This vulnerability has been confirmed to be actively exploited. It enables local attackers to escalate privileges via DWM, a core Windows graphics/windowing component. Systems that run graphical shells or host multi-user workplaces are especially exposed.
Exploitation More Likely
In addition to the confirmed zero-day, several other vulnerabilities are tagged by Microsoft as “Exploitation More Likely,” indicating conditions that adversaries frequently target:
CVE-2026-20816: Windows Installer
CVE-2026-20817: Windows Error Reporting
CVE-2026-20820: Windows Common Log File System (CLFS) Driver
CVE-2026-20840: Windows NTFS
CVE-2026-20843: Windows Routing and Remote Access Service (RRAS)
CVE-2026-20860: Windows Ancillary Function Driver for WinSock
CVE-2026-20871: Desktop Window Manager
CVE-2026-20922: Windows NTFS
These issues generally carry significant base scores (7.8+), affect common OS features, and are often leveraged in post-compromise actions such as lateral movement or privilege escalation.
High-Severity CVEs (CVSS 8.8)
While none of this month’s CVEs are rated above 9.0, several vulnerabilities sit at the top of the severity scale (CVSS 8.8), impacting widely deployed services and collaboration platforms:
CVE-2026-20868: Windows RRAS (8.8)
CVE-2026-20947: Microsoft Office SharePoint (8.8)
CVE-2026-20963: Microsoft Office SharePoint (8.8)
These issues are not only high-scoring but also affect services with broad enterprise use, further justifying early prioritization.
Patch Prioritization Guidance
Patch Within 72 Hours
Focus the first wave of deployment on confirmed exploitation and high-risk exploitation-likely vulnerabilities:
CVE-2026-20805: Desktop Window Manager (actively exploited)
Exploitation More Likely set
CVE-2026-20816 (Windows Installer)
CVE-2026-20817 (Windows Error Reporting)
CVE-2026-20820 (CLFS Driver)
CVE-2026-20840/20922 (Windows NTFS)
CVE-2026-20843 (RRAS)
CVE-2026-20860 (WinSock)
CVE-2026-20871 (DWM)
High Severity (CVSS 8.8) vulnerabilities
CVE-2026-20868 (RRAS)
CVE-2026-20947/20963 (SharePoint)
These updates address components with high exploit potential or frequent use in breach chains and should be prioritized on both workstations and servers.
Patch Within One to Two Weeks
Following the initial urgency window, the next set of patches to roll out includes filesystem and driver issues, platform services, and Office vulnerabilities that can lead to remote code execution or privilege escalation when paired with other exploits:
Filesystem & driver EoPs (e.g., additional NTFS/CLFS variants)
Windows platform and UI components (Installer, Shell, File Explorer)
Office document handling (Word, Excel)
Server roles (SQL Server, WSUS, Windows Deployment Services)
These patches should be deployed once the critical first wave has been validated.
Regular Patch Cadence
The remaining vulnerabilities, generally lower severity or rated Exploitation Unlikely, should be folded into your standard maintenance windows:
Components such as Hyper-V, SMB Server variants, Kerberos, NDIS, and legacy services
UI/UX components like WalletService, TWINUI, and remote assistance
Lower-impact Office/SharePoint issues with lower exploit likelihood
Republished Non-Microsoft CVEs
Microsoft also republished three non-Microsoft CVEs impacting legacy modem drivers and Chromium-based Edge:
CVE-2023-31096: Agere Windows Modem Driver
CVE-2024-55414: Windows Motorola Soft Modem Driver
CVE-2026-0628: Microsoft Edge (Chromium-based)
These CVEs should be reviewed for impacted environments, but generally follow lower priority unless still present and exploitable.
How Splashtop AEM Can Help
January’s Patch Tuesday underscores how quickly endpoint risk can escalate when actively exploited and exploitation-likely vulnerabilities intersect with delayed patch cycles. Splashtop AEM is designed to help IT teams respond faster, with greater precision, and less manual effort.
1. Respond Faster to Actively Exploited Vulnerabilities
When vulnerabilities like CVE-2026-20805 are actively exploited, time to patch matters.
Splashtop AEM enables:
Real-time OS patching for Windows and macOS, reducing exposure windows compared to delayed check-in models
Immediate remediation of high-risk vulnerabilities without waiting for scheduled maintenance cycles
Centralized visibility into which endpoints remain exposed after Patch Tuesday
This allows teams to act decisively when exploitation is confirmed, rather than relying on best-effort rollout timelines.
2. Reduce Manual Effort with Automated, CVE-Based Patching
For teams still patching manually, January’s volume and exploitability mix quickly becomes operationally overwhelming.
Splashtop AEM helps by:
Mapping vulnerabilities directly to CVE-level insights, making prioritization clearer
Automating patch deployment through policy-based workflows
Ensuring consistent remediation across workstations and servers without custom scripts
This reduces reliance on spreadsheets, one-off scripts, and after-hours patching.
3. Close the Gaps Left by Microsoft Intune
While Microsoft Intune provides baseline endpoint management, Patch Tuesday often exposes its limitations.
Splashtop AEM complements Intune with:
Real-time patch execution, rather than delayed update cycles
Broader third-party application patching coverage
More granular control over remediation timing for high-risk vulnerabilities
This is especially valuable for filesystem, driver, and Windows service vulnerabilities that attackers frequently exploit after initial access.
4. A Simpler Alternative to Traditional RMMs
For teams using an RMM primarily for patching and visibility, complexity can slow response during high-risk release cycles.
Splashtop AEM offers:
A lighter-weight platform focused on speed and clarity
Built-in dashboards, inventory reporting, and scripting
Ring-based deployments to validate patches before broad rollout
This helps teams maintain control without the overhead of a full RMM toolset.
Final Thoughts for IT Teams
January 2026’s Patch Tuesday combines meaningful volume with elevated risk. One actively exploited vulnerability, a broad set of “Exploitation More Likely” CVEs, and high-severity issues across core Windows services reinforce a familiar reality for IT teams. Delayed or inconsistent patching continues to create opportunities for attackers to escalate privileges, move laterally, and deepen compromise.
Applying a structured, risk-based patching approach helps teams focus first on what matters most, while maintaining stability across diverse environments. Visibility into exposed systems, the ability to act quickly when exploitation is confirmed, and automation that reduces manual effort are now essential, not optional.
If you are looking to improve how your team responds to Patch Tuesday risk, start a free trial of Splashtop AEM to see how real-time patching, CVE-based insights, and automated remediation can help reduce exposure and simplify endpoint security operations.
