Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm

Steven

Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm

Summary

Microsoft released fixes on the first Patch Tuesday of 2026 that address a zero-day information-disclosure vulnerability tracked as CVE-2026-20805. The flaw, found by Microsoft’s threat intel team, lets an authorised attacker leak a memory address from a remote ALPC port — a step that can be chained to defeat ASLR and lead to arbitrary code execution. Microsoft patched it promptly and the US CISA added the CVE to its Known Exploited Vulnerabilities catalogue, forcing federal agencies to install the update by 3 February 2026.

The January update is large: 112 Microsoft CVEs were disclosed. Two other issues were flagged as publicly known: CVE-2026-21265 (Secure Boot certificate expiration/security feature bypass, CVSS 6.4) and CVE-2023-31096 (a 7.8-rated elevation-of-privilege in third-party Agere Modem drivers, now removed). Microsoft also fixed Office use-after-free bugs (CVE-2026-20952 and CVE-2026-20953) that could enable local code execution via Preview Pane vectors.

Key Points

  • CVE-2026-20805 is an information-disclosure zero-day that leaks memory addresses from a remote ALPC port.
  • The flaw has a medium severity (CVSS 5.5) but is already listed by CISA as actively exploited, triggering mandated federal patching by 2026-02-03.
  • Attackers can use leaked addresses to bypass ASLR and chain to remote code execution; defenders are urged to prioritise patching as the main mitigation.
  • January’s Patch Tuesday contains 112 Microsoft CVEs, including two other publicly known issues: a Secure Boot certificate expiration bypass (CVE-2026-21265) and removal of Agere Modem drivers (CVE-2023-31096).
  • Microsoft fixed multiple Office use-after-free bugs (CVE-2026-20952, CVE-2026-20953) that expose Preview Pane exploit vectors.
  • Microsoft did not detail which components might be used in exploit chains, limiting proactive threat-hunting options for defenders.

Content summary

Microsoft patched a zero-day information-disclosure bug (CVE-2026-20805) discovered internally. The vulnerability exposes a memory address via ALPC, which can be exploited to undermine ASLR and enable follow-on code execution. CISA marked it as known exploited and added it to its catalogue, requiring federal agencies to apply the update quickly. The broader January update is substantial, covering 112 CVEs and including fixes for secure boot certificate expiry issues and legacy third-party drivers, plus several Office bugs that could be used in local code execution attacks.

Context and relevance

This arrives at the start of 2026’s patch cycle and underscores persistent memory- and component-chain risks in Windows environments. Info-disclosure bugs that reveal memory layout are frequently weaponised to turn hard-to-exploit flaws into reliable attacks. The CISA listing increases urgency for government and critical infrastructure operators, and the volume of fixes means admins should review and prioritise updates according to exposure and exploitability.

Author style

Punchy: This is one of those patches you don’t want to file away for later. It’s a practical risk — CISA is forcing hands — so treat the update as high priority even if the CVSS looks middling. Read the details if you manage Windows fleets or run sensitive services; the operational headaches from the Secure Boot certificate expiry alone could be nasty.

Why should I read this?

Quick and blunt: if you run Windows anywhere important, this matters. A zero-day is already being used, CISA has put it on its known-exploited list, and Microsoft pushed a big update with multiple potentially disruptive fixes. Save yourself the scramble — patch, check Secure Boot certificates, and keep an eye on Office Preview Pane behaviour. Done? You’re welcome.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/14/patch_tuesday_january_2026/