By Dark Reading
Publication Date: 2026-01-13 21:11:00
Security teams expecting another modest Patch Tuesday after December are likely to be disappointed with Microsoft’s January update, which tackles 112 common vulnerabilities and exposures (CVEs), or nearly double the amount addressed last month.
Among them is a zero-day vulnerability in Desktop Window Manager (DWM) designated as CVE-2026-20805 (CVSS score: 5.5), which attackers are already exploiting to leak memory address information that could weaken system protections and enable follow-on attacks.
Actively Exploited Zero-Day
DWM controls how application windows appear on a user’s screen and is a component that has had its share of vulnerabilities over the years, said Satnam Narang, senior staff research engineer at Tenable, in a prepared comment. The latest vulnerability — the first information disclosure zero-day bug in DWM — allows attackers to steal information that could help them escalate privileges, Narang said.
Though Microsoft itself has assessed CVE-2026-20805 as being…
