The Digital Security Authority (DSA) wants to bring to your attention Microsoft's January 2026 Patching for several CVEs. 

Technical Details

This Tuesday on the 13th of month Microsoft released its latest Patch KB5074109. This patch addresses and fixes 114 CVEs. 3 of those are Zero-Days.
Out of the 114 identified flaws, eight are classified as Critical, while the remaining 106 are considered Important in terms of severity. A total of 58 vulnerabilities involve privilege escalation, making it the most common category, followed by 22 related to information disclosure, 21 to remote code execution, and five to spoofing.
In addition, we remind that In November 2025, Microsoft announced the expiration of 3 Windows Secure Boot certificates from 2011, expiring in June 2026, urging customers to update to their 2023 counterparts:
Microsoft Corporation KEK CA 2011 (June 2026) - Microsoft Corporation KEK 2K CA 2023 (for signing updates to DB and DBX)
Microsoft Windows Production PCA 2011 (October 2026) - Windows UEFI CA 2023 (for signing the Windows boot loader)
Microsoft UEFI CA 2011 (June 2026) - Microsoft UEFI CA 2023 (for signing third-party boot loaders) and Microsoft Option ROM UEFI CA 2023 (for signing third-party option ROMs)

Notable CVE's that are addressed:

1. CVE-2026-0628: Chromium vulnerability
2. CVE-2026-20805: Desktop Window Manager
3. CVE-2025-21265: Affecting secure boot certificate expiration.
4. CVE-2026-20876: Windows Virtualization-Based Security (VBS) privilege escalation vulnerability

Recommendations

The Digital Security Authority recommends applying the latest patch from Microsoft in all your systems. 

References

1. Common Vulnerabilities & Exposures
2. Common Weakness Enumeration

The information presented in this report is based on available data up to the 17th of January 2026. 

 [ Get the report  in .PDF ]