Microsoft opened its 2026 patching year with a heavier-than-expected load: its first Patch Tuesday of the year fixes 112 CVEs, nearly double the previous month's tally. Headlining the release is an actively exploited zero-day in Desktop Window Manager (DWM), tracked as CVE-2026-20805 (CVSS 5.5), which leaks memory-address information attackers can use to weaken protections and enable follow-on attacks.

DWM governs how application windows are drawn on screen and has a long history of flaws. Tenable's Satnam Narang notes this is the first information-disclosure zero-day in the component; although Microsoft rates the severity only moderate, the confirmed exploitation raises the stakes, since leaked memory details can be chained with other bugs to escalate privileges or steal data.

Microsoft flagged eight bugs in the update as more likely to be exploited. Two are NTFS remote-code-execution flaws — CVE-2026-20840 and CVE-2026-20922 (both CVSS 7.8) — buffer overflows that a local attacker can use to run arbitrary code; researchers urge fast patching because third-party reporting makes public technical detail likely. The remaining six are elevation-of-privilege flaws, each scored 7.8, spanning Windows Installer, Error Reporting, the Common Log File System driver, Routing and Remote Access, the Ancillary Function Driver for WinSock, and DWM.

Some lower-probability bugs still warrant priority. CVE-2026-20876, an EoP flaw in the Windows VBS Enclave, could let an attacker break Windows isolation boundaries and reach trusted execution layers, threatening credentials and secrets. Two critical-rated Office RCE flaws, CVE-2026-20952 and CVE-2026-20953 (both CVSS 8.4), can be triggered through a trusted document or the Preview Pane, in some cases without user interaction.