Today is Microsoft' 2026 Patch Tuesday with security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities.

Microsoft’s January 2026 Patch Tuesday fixes 112 CVEs, including an exploited Windows DWM zero-day, plus critical flaws across SharePoint, Office, and Windows services.

Microsoft has patched three zero-day vulnerabilities in the first patch Tuesday of 2026, including one under active exploitation

Eight critical vulnerabilities and an actively exploited zero day highlight Microsoft’s first Patch Tuesday announcements for 2026. Most of the higher scoring vulnerabilities impact Office products, with two holes in SharePoint scoring an 8.8 on the CVSS scale.

Among them is a zero-day vulnerability in Desktop Window Manager (DWM) designated as CVE-2026-20805 (CVSS score: 5.5), which attackers are already exploiting to leak memory address information that could weaken system protections and enable follow-on attacks.