Microsoft Fixes Three Zero-days On Busy Patch Tuesday

It’s set to be a busy month for system administrators after Microsoft released security updates to fix over 100 CVEs yesterday, including one being actively exploited.

CVE-2026-20805 is one of three zero-day bugs fixed on the first Patch Tuesday of 2026 – the other two being publicly disclosed but not yet used in attacks.

It’s listed as an information disclosure vulnerability in the Desktop Window Manager.

“This CVE quietly leaks sensitive memory details, giving attackers the inside knowledge they need to weaken system protections and prepare for deeper compromise,” explained Action1 director of vulnerability research, Jack Bicer.

“An authorized local attacker can trigger the flaw to disclose a section address from a remote ALPC port residing in user-mode memory. Although no data modification or denial-of-service occurs, the exposed memory information can undermine address space layout randomization (ASLR) and other defenses, making additional exploits more reliable.”

Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days in Final Patch Tuesday of 2025

The other two zero-days include CVE-2026-21265: a security feature bypass vulnerability related to secure boot certificate expiration.

This relates to the expiration of Microsoft’s original 2011 Root of Trust certificates this year.

“These certificates sign nearly every Windows bootloader since Windows 8, and they are set to expire in June and October 2026,” explained Ryan Braunstein, security manager at Automox.

“If you bought a motherboard or computer between 2012 and 2025, CVE-2026-21265 applies to you.”

Source: InfoSecurity Magazine