• I may be in Tokyo preparing for Pwn2Own Automotive, but that doesn’t stop patch Tuesday from coming. • Put aside your broken New Year’s resolutions for just a moment as we review the latest security patches from Adobe and Microsoft. • If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for January 2026 For January, Adobe released 11 bulletins addressing 25 unique CVEs in Adobe Dreamweaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Substance 3D Stager, Substance 3D Painter, Substance 3D Sampler, Substance 3D Designer, and ColdFusion. • The patch for ColdFusion fixes a single code execution bug, but the update is listed as Priority 1. • It isn’t publicly known or under active attack, though. • The fix for Dreamweaver corrects five Critical-rated code execution bugs.

Article Summaries:

  • January 2026 Security Update Review

Adobe released 11 bulletins covering 25 CVEs across Dreamweaver, InDesign, Illustrator, InCopy, Bridge, and the Substance 3D suite, with several critical code‑execution fixes but no publicly known or actively exploited vulnerabilities. Microsoft’s January patch cycle added 112 new CVEs (114 including third‑party Chromium updates), eight rated critical and the rest important, with one active‑attack vulnerability (CVE‑2026‑20805) exposing a Desktop Window Manager information‑disclosure flaw. Both vendors noted the large January release is typical after holiday‑season delays, aiming to mitigate potential compatibility issues.

  • Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today. January’s Microsoft zero-day flaw - CVE-2026-20805 - is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling C
  • Microsoft released its January 2026 Patch Tuesday update, addressing 113 security flaws across Windows and supported software, including eight rated “critical.” The most urgent issue, CVE‑2026‑20805, targets the Desktop Window Manager (DWM) and is already being exploited; it undermines Address Space Layout Randomization (ASLR) and can chain with other code‑execution bugs. Two Office remote‑code‑execution vulnerabilities (CVE‑2026‑20952/53) can be triggered by viewing a malicious message in the Preview Pane. Microsoft also removed the agrsm64.sys and agrsm.sys modem drivers after discovering an elevation‑of‑privilege flaw (CVE‑2023‑31096). Rapid patching remains the only effective defense.

Sources: