Microsoft’s January 2026 Patch Tuesday update fixed 112 vulnerabilities across its products, including a zero-day flaw in the Desktop Window Manager identified as CVE-2026-20805. This defect has a CVSS score of 5.5 and allows unauthorized attackers to access sensitive information. The Cybersecurity and Infrastructure Security Agency has included this vulnerability in its catalog of known exploited vulnerabilities, highlighting the potential risks involved, despite the absence of critical flaws in this month’s release. Experts emphasize the significance of information disclosure vulnerabilities like CVE-2026-20805. Dustin Childs from Trend Micro pointed out that memory leaks can facilitate more reliable remote code executions. Jack Bicer from Action1 noted that the information exposed could lead to multi-stage attacks, combining leaked memory details with other vulnerabilities for privilege escalation or data theft. The risk of broader system compromise and regulatory issues increases as a result. While Microsoft did not disclose the number of attacks associated with this zero-day, it requires local access to the target system for exploitation. Satnam Narang from Tenable highlighted the history of exploits in the Desktop Window Manager, with 20 CVEs patched since 2022, but noted this is the first information disclosure vulnerability exploited in the wild. Microsoft flagged eight vulnerabilities this month, each rated at 7.8, as more likely to be exploited soon. The complete list of vulnerabilities can be found in Microsoft’s Security Response Center.