Overview
- Microsoft addressed roughly 112 vulnerabilities, including eight rated critical, across Windows, Office and other components.
- CVE-2026-20805 in Desktop Window Manager is confirmed exploited in the wild, leaking an ALPC section address that can weaken ASLR; CISA added it to the KEV catalog with a federal deadline of February 3, 2026.
- Critical risks include RCE bugs in LSASS, Word, Excel and Office, plus elevation-of-privilege flaws in Windows Graphics and the VBS Enclave that could grant VTL2-level access.
- Microsoft removed legacy soft modem drivers agrsm64.sys, agrsm.sys, smserl64.sys and smserial.sys to mitigate long-standing EoP issues, which will break dependent hardware until removed or replaced.
- CVE-2026-21265 spotlights Secure Boot certificate expirations in 2026, requiring migration to 2023 certificates and coordinated OS and firmware updates to preserve Secure Boot protections and future fixes.