It’s set to be a busy month for system administrators after Microsoft released security updates to fix over 100 CVEs yesterday, including one being actively exploited.
CVE-2026-20805 is one of three zero-day bugs fixed on the first Patch Tuesday of 2026 – the other two being publicly disclosed but not yet used in attacks.
It’s listed as an information disclosure vulnerability in the Desktop Window Manager.
“This CVE quietly leaks sensitive memory details, giving attackers the inside knowledge they need to weaken system protections and prepare for deeper compromise,” explained Action1 director of vulnerability research, Jack Bicer.
“An authorized local attacker can trigger the flaw to disclose a section address from a remote ALPC port residing in user-mode memory. Although no data modification or denial-of-service occurs, the exposed memory information can undermine address space layout randomization (ASLR) and other defenses, making additional exploits more reliable.”
Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days in Final Patch Tuesday of 2025
The other two zero-days include CVE-2026-21265: a security feature bypass vulnerability related to secure boot certificate expiration.
This relates to the expiration of Microsoft’s original 2011 Root of Trust certificates this year.
“These certificates sign nearly every Windows bootloader since Windows 8, and they are set to expire in June and October 2026,” explained Ryan Braunstein, security manager at Automox.
“If you bought a motherboard or computer between 2012 and 2025, CVE-2026-21265 applies to you.”
He claimed that, among other things, hackers could chain the CVE with others to prevent systems from updating their forbidden signature database before deploying a rootkit.
“This is not a vulnerability you can patch once and forget,” Braunstein warned.
“It requires an audit of your entire hardware environment and coordination between OS and firmware updates. Some BIOS updates may require manual acceptance of the new UEFI certificates rolled out in 2023.”
A Zero Day From 2023
The third zero-day is CVE-2023-31096: an elevation of privilege (EoP) in the Agere Modem driver that ships with some Windows versions.
“This vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today’s Windows patches remove agrsm64.sys and agrsm.sys,” explained Rapid7 lead software engineer, Adam Barnett.
“All three modem drivers were originally developed by the same now-defunct third party and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”
Among the 114 CVEs patched by Microsoft this month, 57 are EoP, while a further 22 are remote code execution and 22 are classed as information disclosure. Just eight are classed as critical, although – as always – context matters and will vary for each organization.
Image credit: CHERRY.JUICE / Shutterstock.com
