14. Januar 2026
Microsoft’s first round of Patch Tuesday updates for 2026 addresses 112 vulnerabilities, including a zero-day that has been actively exploited in attacks.
The exploited vulnerability is tracked as CVE-2026-20805 and it has been described by Microsoft as an important-severity information disclosure issue in the Desktop Windows Manager component of Windows.
“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally,” Microsoft said in its advisory, adding, “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.”
CVE-2026-20805 was discovered by Microsoft’s own researchers, but the tech giant does not appear to have shared any information on the attacks exploiting the zero-day.
Trend Micro’s ZDI believes threat actors have likely exploited the flaw in targeted attacks, as part of an exploit chain where the address obtained as a result of CVE-2026-20805’s exploitation is useful for achieving arbitrary code execution.
“This shows how memory leaks can be as important as code execution bugs since they make the RCEs reliable,” noted ZDI’s Dustin Childs.
Two Windows vulnerabilities patched this month were disclosed publicly before the fixes became available: CVE-2026-21265 (Secure Boot bypass) and CVE-2023-31096 (privilege escalation).
Based on Microsoft’s assessment, only the latter is ‘more likely’ to be exploited in the wild.
Adobe on Tuesday announced the rollout of patches for nearly 140 vulnerabilities across its products, including critical-severity bugs in ColdFusion and Experience Manager.
ColdFusion received fixes for 12 security defects, most of which could be exploited for arbitrary code execution.
The most severe of these are CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS score of 9.1), described as unrestricted dangerous file upload, improper input validation, and deserialization of untrusted data, respectively.
Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.
The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.
The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.
The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.
Another Adobe product that received an update on January 2026 Patch Tuesday is Dreamweaver. The security refresh resolves five high-severity flaws, four leading to arbitrary code execution and one leading to arbitrary system file write.
High-severity security defects were resolved in Bridge, Illustrator, InCopy, InDesign, Substance 3D Modeler, Substance 3D Sampler, Substance 3D Stager, and Substance 3D Painter. For some products, the updates also fixed medium-severity bugs.
Adobe also released fixes for a medium-severity vulnerability in Substance 3D Designer, warning it could lead to memory leaks.
All the remaining advisories have a priority rating of ‘3’, as the issues were addressed in products that have not been historically targeted in attacks.
The company makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on Adobe’s security advisories page.
Quelle: SecurityWeek
