Microsoft’s first round of Patch Tuesday updates for 2026 addresses 112 vulnerabilities, including a zero-day that has been actively exploited in attacks.
The exploited vulnerability is tracked as CVE-2026-20805 and it has been described by Microsoft as an important-severity information disclosure issue in the Desktop Windows Manager component of Windows.
“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally,” Microsoft said in its advisory, adding, “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.”
CVE-2026-20805 was discovered by Microsoft’s own researchers, but the tech giant does not appear to have shared any information on the attacks exploiting the zero-day.
Trend Micro’s ZDI believes threat actors have likely exploited the flaw in targeted attacks, as part of an exploit chain where the address obtained as a result of CVE-2026-20805’s exploitation is useful for achieving arbitrary code execution.
“This shows how memory leaks can be as important as code execution bugs since they make the RCEs reliable,” noted ZDI’s Dustin Childs.
Two Windows vulnerabilities patched this month were disclosed publicly before the fixes became available: CVE-2026-21265 (Secure Boot bypass) and CVE-2023-31096 (privilege escalation).
Based on Microsoft’s assessment, only the latter is ‘more likely’ to be exploited in the wild.
Eight Windows and Office vulnerabilities patched this month have been assigned a critical severity rating. A majority can be exploited for remote code execution, and a couple for privilege escalation.
In addition to Windows and Office applications, Microsoft has resolved vulnerabilities in Azure and SharePoint.
Adobe’s Patch Tuesday updates address 25 vulnerabilities, including a critical Apache Tika flaw in ColdFusion.
Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
Related: Microsoft Patches Actively Exploited Windows Kernel Zero-Day
Related: Microsoft Bug Bounty Program Expanded to Third-Party Code
