• Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. 
• Additional OOB updates have been published to resolve operational issues experienced following installation of the updates released as part of the standard Microsoft Patch Tuesday process.

CVE-2026-21509 was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as “Important” and received a CVSS 3.1 score of 7.8. This vulnerability is considered “local,” meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the CISA Known Exploited Vulnerabilities (KEV) list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this advisory.  

In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.  

The following Snort3 rules are also available: 301384-301387. 

The following ClamAV signature has been released to detect activity associated with this vulnerability: 

• Rtf.Exploit.CVE_2026_21509-10059214-0 

Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical”.  

In this month's release, Microsoft observed one of the included “important” vulnerabilities, CVE-2026-20805, as being exploited in the wild. Out of 8 "critical" entries, 6 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Local Security Authority Subsystem Service (LSASS), Microsoft Word, Microsoft Excel, and Microsoft Office. The two remaining “critical” entries are elevation of privilege (EoP) vulnerabilities affecting Windows Graphic Component and Windows Virtualization-Based Security (VBS) Enclave. 

CVE-2026-20822 is a critical elevation of privilege vulnerability affecting Windows Graphic Component. This vulnerability is due to a use-after-free (UAF) bug that could enable an attacker to obtain SYSTEM privileges on affected systems if exploited. This vulnerability was issued a CVSS 3.1 base score of 7.8 and would require an attacker to successfully win a race condition to achieve successful exploitation. Microsoft has assessed that exploitation of this vulnerability is “less likely” and that it has not been publicly disclosed. 

CVE-2026-20854 is a critical remote code execution vulnerability affecting Windows Local Security Authority Subsystem Service (LSASS). This vulnerability was issued a CVSS 3.1 base score of 7.5 and could enable an authorized attacker the ability to execute code on affected systems over a network. Successful exploitation of this vulnerability does not require elevated privileges. Microsoft has assessed that this vulnerability is “less likely” to be exploited and that it has not been publicly disclosed.  

CVE-2026-20876 is a critical elevation of privilege vulnerability affecting Windows Virtualization-Based Security (VBS) Enclave. This vulnerability is due to a heap-based buffer overflow that could enable local privilege elevation if successfully exploited by an authorized attacker. Successful exploitation of this vulnerability could grant an attacker Virtual Trust Level 2 (VTL2) privileges on affected systems. This vulnerability was issued a CVSS 3.1 base score of 6.7 and has been assessed by Microsoft to be “less likely” to be exploited and has not been publicly disclosed.  

CVE-2026-20944 is a critical remote code execution vulnerability affecting Microsoft Word. This vulnerability is due to an out-of-bounds read and could enable an attacker to execute arbitrary code on affected systems. To exploit this vulnerability, an attacker would need to convince victims to open a specially crafted malicious file on a vulnerable system. This vulnerability was issued a CVSS 3.1 base score of 7.8. Microsoft has assessed that this vulnerability is “less likely” to be exploited and has not been publicly disclosed.  

CVE-2026-20952 and CVE-2026-20953 are critical remote code execution vulnerabilities affecting Microsoft Office. These vulnerabilities are due to user-after-free conditions and could enable an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit either of these vulnerabilities, an attacker would need to log on and run a specially crafted application or convince a victim to open a malicious file on affected systems. Both vulnerabilities were issued a CVSS 3.1 base score of 8.4. Microsoft has assessed that these vulnerabilities are “less likely” to be exploited and neither were publicly disclosed. 

CVE-2026-20955 is a critical remote code execution vulnerability affecting Microsoft Excel. This vulnerability is due to an untrusted pointer reference and could be leveraged by an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit this vulnerability, an attacker would need to convince a victim to open a specially crafted malicious file. This vulnerability was issued a CVSS 3.1 base score of 7.8 and was assessed by Microsoft to be “less likely” to be exploited. Microsoft has also noted that this vulnerability has not been publicly disclosed. 

CVE-2026-20957 is a critical remote code execution vulnerability affecting Microsoft Excel. This vulnerability is due to an integer underflow that could be leveraged by an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit this vulnerability, an attacker would need to convince a victim to open a specially crafted malicious file. This vulnerability was issued a CVSS 3.1 base score of 7.8 and was assessed by Microsoft to be “less likely” to be exploited. Microsoft has also noted that this vulnerability has not been publicly disclosed. 

CVE-2026-20805 is an important information disclosure vulnerability affecting Desktop Window Manager. This vulnerability could allow for exposure of sensitive information on affected systems. This vulnerability was issued a CVSS 3.1 base score of 5.5 and was assessed by Microsoft to have already been previously exploited. Microsoft has noted that this vulnerability has not been publicly disclosed. 

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:" 

• CVE-2026-20816: Windows Installer Elevation of Privilege Vulnerability 
• CVE-2026-20817: Windows Error Reporting Service Elevation of Privilege Vulnerability 
• CVE-2026-20820: Windows Common Log File System Driver Elevation of Privilege Vulnerability 
• CVE-2026-20840: Windows NTFS Remote Code Execution Vulnerability 
• CVE-2026-20843: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability 
• CVE-2026-20860: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 
• CVE-2026-20871: Desktop Windows Manager Elevation of Privilege Vulnerability 
• CVE-2026-20922: Windows NTFS Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.    

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65498, 65499, 65663-65676.  

The following Snort 3 rules are also available: 301344, 301368-301374.