Zero Day Initiative | Blog
Follow
The January 2026 Security Update Review
This article reviews the January 2026 security patches from Adobe and Microsoft. Adobe released 11 bulletins addressing 25 CVEs across various Creative Cloud and ColdFusion products. These patches fix code execution and memory leak vulnerabilities, with no publicly known or actively exploited bugs reported by Adobe. Microsoft, on the other hand, issued a large release with 112 new CVEs affecting numerous Windows components, Office, Azure, and Edge. Eight of Microsoft's patches are rated Critical, with the majority being Important. One vulnerability, CVE-2026-20805, an information disclosure bug in the Desktop Window Manager, is listed as actively exploited. Another notable patch addresses a Secure Boot certificate expiration that could impact future updates. Microsoft Office bugs related to the Preview Pane are also highlighted, with a recommendation to disable it as a precaution. Additionally, a critical vulnerability in Windows Virtualization-Based Security allows for elevation to the highest privilege level. The article suggests that large January releases are common due to vendors holding back updates over the holiday season.