It’s 2026, Patch Tuesday is once again upon us, and I’ve got some good news and some bad news. The bad news is that I really thought 2025 was going to be the year that Microsoft patched all the holes, exterminated all the bugs, and fixed all the exploits, but that doesn’t seem to be the case. The good news is that I’ll be here — talking about Patch Tuesday, with no end in sight … At least you won’t have to worry about any MDT related patches. Get it? Cuz Microsoft dropped MDT like a bad habit. 2026 is off to a fun start. Let’s get into the details!
Severity
Total exploits patched: 114
Critical patches: 8
Important: 106
Moderate: 0
Low: 0
Vulnerability impact
Remote code execution: 22
Elevation of privilege: 57
Information disclosure: 22
Spoofing: 5
Tampering: 3
Denial of service: 2
Feature bypass: 3
Availability
Publicly disclosed: 2
Actively exploited: 1
The highlights
CVE-2026-20944, 20952, 20953: Today we get a three-for-one special because our three highest rated critical CVEs all impact Microsoft Office. Two of these CVEs are use after free exploits, and the other is an out-of-bounds read exploit, all of which end up in remote code execution on your devices. What’s interesting is that all three of these were found by different researchers. Oh, and if you’re wondering if the preview pane is an attack vector, why yes — yes it is.
CVE-2026-21265: Next up we’ve got CVE-2026-21265 which is, let me get this correct, a Secure Boot certificate expiration security feature bypass vulnerability. Whew! Long story short, there are a lot of systems out there with Microsoft Secure Boot certificates from 2011 that are getting ready to expire this year, and certain defective firmware components can cause certificate trust updates to fail, which can cause disruption of the Secure Boot trust chain. And if that’s not bad enough, bad actors can use that defective cert rotation to bypass Secure Boot security features, though it sounds very difficult to pull off. Those certificates start expiring in June of this year, so definitely keep an eye on your systems.
CVE-2026-20805: Last up for our highlights, we’ve got CVE-2026-20805 which is a Desktop Windows Manager information disclosure vulnerability that is actively being exploited in the wild. What fun! Now there isn’t much information about how the exploit works, but the attack vector is local and it does require low level privileges, but obviously people are already taking advantage of this exploit, so definitely get this patched.
Wrapping up
If your New Year’s resolution was to get control of your patch management and possibly even automate the entire process, you’re in luck. PDQ Connect makes it easier than ever to patch your endpoints. And if you suddenly find yourself in need of an imaging solution (RIP MDT), check out SmartDeploy, the easiest and most powerful imaging platform on the market.
