Microsoft released patches for at least 113 security vulnerabilities across its Windows operating systems and supported software on Tuesday, with eight flaws rated “critical” and one already being actively exploited in the wild.
The confirmed zero-day, tracked as CVE-2026-20805, sits in the Desktop Window Manager (DWM), a core Windows component responsible for managing how windows are rendered on screen. Despite carrying a CVSS score of just 5.5, Microsoft has acknowledged active exploitation, meaning attackers are already using it against real targets.
Why a Low Score Doesn’t Mean Low Risk
Kev Breen, senior director of cyber threat research at Immersive, explained that this class of vulnerability is typically used to defeat Address Space Layout Randomization (ASLR), a fundamental OS security control that guards against memory-manipulation attacks.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. Microsoft has not disclosed which other components may be involved in such a chain, which sharply limits what defenders can do to proactively hunt for related activity. Breen’s conclusion: rapid patching is currently the only effective mitigation.
Chris Goettl, vice president of product management at Ivanti, noted that CVE-2026-20805 affects every currently supported version of Windows, including those under extended security updates. He warned against dismissing the flaw because of its “Important” rating. “A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.
Office Preview Pane Bugs Among Critical Patches
Two critical remote code execution vulnerabilities in Microsoft Office, CVE-2026-20952 and CVE-2026-20953, can be triggered simply by previewing a malicious message in the Preview Pane. No additional interaction required.
More Read
Decades-Old Modem Drivers Get Pulled
Adam Barnett at Rapid7 flagged that Microsoft quietly removed two more legacy modem drivers, agrsm64.sys and agrsm.sys, from Windows this month. The move mirrors a similar driver removal in October 2025 and relates to an elevation-of-privilege vulnerability, CVE-2023-31096, that was originally published by MITRE over two years ago alongside a detailed public writeup.
All three modem drivers were built by the same now-defunct third party and have shipped inside Windows for decades. Most users will never notice their removal. Some industrial control systems, though, may still rely on active modems, making this more than a footnote in certain environments.
Barnett raised a pointed question: how many more legacy modem drivers remain on a fully-patched Windows system, and how many more elevation-to-SYSTEM vulnerabilities will surface before Microsoft fully closes off attackers exploiting this class of old device drivers. He also noted that a physical modem is not required to be at risk. “The mere presence of the driver is enough to render an asset vulnerable,” he said.
Secure Boot Certificate Deadline Looms
Immersive, Ivanti, and Rapid7 each flagged CVE-2026-21265, a critical Security Feature Bypass affecting Windows Secure Boot. The feature relies on certificates issued in 2011 that expire in June and October 2026. Windows devices that have not migrated to the 2023 replacement certificates will lose access to future Secure Boot security fixes once those deadlines pass, a timeline that organizations managing large device fleets should treat as a near-term operational deadline, not a distant concern.
Photo by Christopher Lee on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
