Back to Blog
Windows security

Windows 11: January 2026 Patch Tuesday, Zero-Days and Emergency Out-of-Band Fixes Explained

January 19, 2026
14 min read

Overview: What did Microsoft fix in January 2026?

On January 13, 2026, Microsoft released its first Patch Tuesday of the year with security updates for 114 vulnerabilities in Windows and related products. Eight of these are rated Critical.

Most attention is on three Windows zero-day vulnerabilities – issues that were known before an official patch existed:

  • 1 zero-day is actively exploited in the wild.
  • 2 zero-days were publicly disclosed, making it easier for attackers to reproduce them.

For Windows 11, the key cumulative updates are KB5074109 and KB5073455. They harden the platform, improve reliability, and fix the zero-day flaws.

---

The three zero-days, in plain English

Microsoft and several security vendors confirm that three zero-day issues are resolved in this release. At a high level, they fall into three typical categories:

1.Desktop Window Manager (DWM) – information disclosure (actively exploited)

- Attackers could leak sensitive information from memory.

- That data can help bypass other security features and chain further attacks.

2.Windows components with elevation of privilege bugs

- Multiple flaws allowed a low-privileged user or process to gain administrator-level rights.

- Once that happens, an attacker can disable protections, install persistent malware, and tamper with system data.

3.Remote Code Execution (RCE) in Windows services

- Crafted network traffic or files could trigger execution of attacker-controlled code.

- In the worst case, a PC or server can be fully taken over with little or no user interaction.

Different sources quote slightly different CVE counts because some include Edge and other products, but the takeaway is clear:

If you run Windows 11, you need these updates sooner rather than later.

---

Key Windows 11 updates

For Windows 11 specifically, Microsoft released among others:

  • KB5074109 – cumulative update for current Windows 11 releases
  • KB5073455 – additional cumulative security and quality update

These updates deliver:

  • Fixes for all three Windows zero-days
  • Patches for the broader set of 114 Windows vulnerabilities
  • Stability and compatibility improvements

If you have automatic updates enabled, these patches should install on their own. In corporate environments, they are usually deployed through central patch management tools.

---

Out-of-band updates: emergency patches outside Patch Tuesday

In addition to the regular Patch Tuesday cycle, Microsoft occasionally ships out-of-band updates. These are emergency fixes released outside the normal schedule when an issue is too serious to wait.

Typical reasons for out-of-band updates include:

  • A vulnerability is being heavily exploited.
  • A recent Patch Tuesday update causes severe side effects (for example, critical services stop working).
  • Critical infrastructure or large-scale cloud services are disrupted.

Early in 2026, for instance, Microsoft shipped an out-of-band patch to fix MSMQ and IIS issues that broke message queues and made some web sites unavailable. Production systems needed an urgent fix, so Microsoft could not wait for the next regular cycle.

Key points to remember:

  • Out-of-band updates are not optional if your systems are affected.
  • They appear in Windows Update but are documented separately and often come with strong deployment guidance.

---

What do 114 vulnerabilities actually mean?

The 114 patched vulnerabilities span several categories:

  • Elevation of Privilege

Attackers gain more access rights than they should have.

  • Information Disclosure

Sensitive data can be read or inferred.

  • Remote Code Execution (RCE)

Malicious input leads to arbitrary code running on your machine.

  • Spoofing and tampering

Systems or users are tricked into accepting fake identities or manipulated data.

Not every flaw is exploitable in every environment, but together they represent a large attack surface.

Applying this month’s patches significantly reduces that surface.

---

What home Windows 11 users should do

If you are a typical home user with a Windows 11 PC or laptop, you usually do not need complex security tooling. You mainly need to let Windows patch itself.

1.Check for updates

- Open SettingsWindows Update.

- Click “Check for updates.”

2.Install all important updates

- Install all updates marked as important or cumulative, especially KB5074109 and KB5073455.

3.Do not delay the restart

- Many security fixes only become active after a reboot.

- Save your work and restart promptly when Windows asks you to.

4.Leave automatic updates enabled

- This ensures you continue to receive future security fixes without manual effort.

---

What IT teams and admins should do

For organisations, patching is more complex. Downtime costs money, but unpatched zero-days can be far more expensive.

Recommended approach:

1.Risk-based prioritisation

- Patch systems exposed to the internet first (RDS/Terminal Servers, web servers, VPN gateways).

- Follow with high-value servers that host sensitive data or many users.

2.Short, focused testing

- Run quick regression tests in a staging environment, but avoid multi-week delays.

- Concentrate on core business applications such as ERP, CRM, and line-of-business systems.

3.Monitor closely after deployment

- Watch logs and monitoring dashboards for unusual errors or performance issues.

- Roll out in waves if possible and watch each wave.

4.Communicate with end-users

- Announce maintenance windows and required reboots ahead of time.

- Explain briefly why this month’s updates are especially important (zero-days, active exploitation).

5.Treat out-of-band patches as top priority

- Subscribe to Microsoft, CISA, and vendor advisories.

- When out-of-band fixes are released, evaluate and deploy them ahead of normal updates.

---

How to verify that you are protected

On an individual Windows 11 machine

1.Open SettingsSystemAbout.
2.Under Windows specifications, check the OS build value.
3.Compare it with the documentation for KB5074109 / KB5073455, which lists the latest build numbers.

In a corporate environment

  • Use your central management tool (Intune, WSUS, SCCM, or others) to report on patch status.
  • Configure reports or dashboards highlighting the January 2026 security updates and zero-day-related KBs.
  • Perform spot checks on representative clients and servers.

---

Bottom line: Don’t park the January 2026 updates

With 114 fixed vulnerabilities, three zero-days and one actively exploited DWM bug, the January 2026 Patch Tuesday is not a cycle you can safely ignore.

For home users, the action list is simple:

  • Let Windows Update do its job,
  • accept the reboot,
  • keep automatic updates enabled.

For organisations, the bar is higher:

  • Treat these patches and any related out-of-band fixes as high priority,
  • patch quickly but with controlled testing and monitoring.

The earlier you deploy these updates, the less time attackers have to weaponise and mass-exploit the now-public vulnerabilities.