Alerts

Microsoft January 2026 Patch Tuesday: 114 Vulnerabilities Fixed Including 3 Zero-Days

Microsoft's first Patch Tuesday of 2026 addresses 114 security vulnerabilities across Windows, Office, and related services. The release includes 12 critical-severity flaws and patches for three zero-day vulnerabilities.

By the Numbers

Zero-Days Patched

Three zero-day vulnerabilities were addressed in this release:

CVE-2026-20805 - Desktop Window Manager information disclosure flaw allowing unauthorized access to sensitive data
CVE-2026-21265 - Windows Digital Media elevation of privilege bug commonly used in attack chains
CVE-2023-31096 - Legacy Agere Soft Modem driver elevation of privilege issue included in cumulative updates

Critical Vulnerabilities

The most severe flaws patched this month include:

CVE-2026-20854 - Use-after-free in Windows LSASS enabling remote code execution over the network
CVE-2026-20944 - Out-of-bounds read in Microsoft Word allowing RCE
CVE-2026-20953 / CVE-2026-20952 - Use-after-free vulnerabilities in Microsoft Office
CVE-2026-20955 / CVE-2026-20957 - Pointer and integer underflow issues in Microsoft Excel
CVE-2026-20822 - Graphics Component elevation of privilege via use-after-free
CVE-2026-20876 - VBS Enclave elevation of privilege

Patch Priority

Administrators should prioritise:

Internet-facing systems including WSUS servers (CVE-2026-20856) and SMB servers
Office endpoints due to multiple critical RCE flaws
Systems running affected kernel drivers

Testing in staging environments is recommended due to potential regressions in drivers like Cloud Files Mini Filter. Monitor CISA KEV for any rapid additions as zero-days may see active exploitation.

GitHub Confirms TeamPCP Breach of 3,800 Internal Repositories After Employee Installed Poisoned VS Code Extension

GitHub has confirmed that approximately 3,800 internal repositories were compromised after a TeamPCP supply chain attack that began with a single employee installing a poisoned Visual Studio Code extension. The breach was announced on Tuesday after TeamPCP posted claims on an underground forum offering GitHub's stolen source

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token

Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

Read more

GitHub Confirms TeamPCP Breach of 3,800 Internal Repositories After Employee Installed Poisoned VS Code Extension

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005