)
)
Welcome to the first Patch Tuesday of 2026. If you need a patching resolution for the new year, this month has you covered.
The big one: Microsoft's Secure Boot certificates are expiring this year, and fixing it means patching both your OS and your BIOS. That alone will keep IT teams busy. On top of that, there is a Windows Installer privilege escalation and a Desktop Window Manager flaw already being exploited in the wild.
For a deeper dive into these CVEs, be sure to check out the full discussion on the Patch [FIX] Tuesday podcast.
CVE-2026-21265 [Important]
Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
Microsoft's original 2011 Root of Trust certificates are set to expire this year. These certificates sign nearly every Windows bootloader since Windows 8, and they are set to expire in June and October 2026.
If you bought a motherboard or computer between 2012 and 2025, CVE-2026-21265 (CVSS 6.4/10) applies to you.
Fixing this requires two things: OS patches and BIOS updates. Windows will handle the software side, but you need to update your BIOS too. Miss either one, and your systems stay vulnerable to hardware-level root of trust compromise.
This is not a vulnerability you can patch once and forget. It requires an audit of your entire hardware environment and coordination between OS and firmware updates. Some BIOS updates may require manual acceptance of the new UEFI certificates rolled out in 2023.
How attackers may exploit this vulnerability
Chain this CVE with other vulnerabilities to prevent systems from updating their forbidden signature database, then deploy a rootkit
Exploit the gap between OS and BIOS updates to establish persistent boot-level access
Target systems that disable Secure Boot as a workaround, opening the door to bootkit installation
What to look out for
Systems running Windows 8 through Windows 11 that have not received both OS and BIOS updates
Legacy systems still running Windows 10 with extended support
Endpoints where Secure Boot has been disabled, which invites worse boot kit vulnerabilities
Mitigation guidance
Begin auditing your hardware environment now to identify BIOS versions across all endpoints
Prioritize a slow rollout starting immediately rather than scrambling before the June and October deadlines
Apply Windows OS patches as they become available and coordinate with OEM BIOS updates
Do not disable Secure Boot as a workaround, as disabling it can create more severe attack vectors
– Ryan Braunstein, Security Manager, Automox
CVE-2026-20816 [Important]
Windows Installer Elevation of Privilege Vulnerability
CVE-2026-20816 (CVSS 7.8/10) exploits a time-of-check to time-of-use (TOCTOU) race condition in the Windows Installer service. TOCTOU vulnerabilities occur when a system checks whether something is safe, then uses it a split second later. This creates a window where an attacker can swap the checked item for something malicious.
Think of it like a bouncer checking your wristband at the door, then you swap jackets with someone else before entering.
An attacker who already has local access to an endpoint can trigger the Windows Installer workflow and attempt to win the race condition.
If successful, the privileged action targets something the attacker controls instead of what the installer originally validated. The Windows Installer is an attractive target because it routinely writes files, updates services, sets permissions, and touches protected system locations.
Win the race, and you go from basic user to SYSTEM, the highest privilege on Windows. This CVE has not been exploited in the wild yet, but it is a likely candidate.
How attackers may exploit this vulnerability
Gain initial access through phishing or another vulnerability, then use this CVE to escalate from standard user to system-level privileges
Redirect privileged file writes during MSI installations to gain control over protected system locations
Use the escalated privileges to move laterally through enterprise environments
What to look out for
Users with administrative privileges on their workstations, as permission sprawl is common and increases risk
Environments where the principle of least privilege is not enforced
Unusual Windows Installer activity or unexpected privilege escalation events in endpoint logs
Mitigation guidance
Audit user permissions and enforce least privilege across your organization
Monitor endpoints for suspicious Windows Installer behavior and unexpected privilege escalation
Review your permission model. If users have admin access because "it is easier," this vulnerability should prompt a reassessment
– Seth Hoyt, Senior Security Engineer, Automox
CVE-2026-20805 [Important]
Desktop Window Manager Information Disclosure Vulnerability
CVE-2026-20805 (CVSS 5.5/10) has been actively exploited in the wild, making it a priority for patching.
The Desktop Window Manager (DWM) is the Windows component responsible for drawing and compositing your desktop. It communicates with other processes using a local inter-process communication (IPC) system called ALPC. This CVE allows an unauthorized actor to access sensitive information through the DWM.
The bad news: you do not need admin rights to exploit this. Any application that can draw a window on the screen can potentially trigger it. The DWM process already runs with elevated privileges because it needs them to do its job.
In virtualized environments, a successful exploit can break container isolation, allowing an attacker to escape from a sandboxed environment.
How attackers may exploit this vulnerability
Leverage any application capable of drawing windows to trigger the vulnerability without needing admin rights
Use the information disclosure to gather data for further attacks
Break out of virtual environment containers by escalating privileges through the DWM
What to look out for
Unusual memory spikes or crashes in dwm.exe, which can indicate unstable exploit attempts
Systems that cannot be patched immediately due to patch cadence policies
Virtualized environments where container breakout poses additional risk
Mitigation guidance
Patch immediately, as this CVE is already being exploited in the wild
If you must delay patching, implement enhanced detection around dwm.exe on affected systems
Monitor for unusual DWM behavior including unexpected memory consumption or process crashes
Prioritize virtualized environments where the container breakout risk amplifies the impact
– Ryan Braunstein, Security Manager, Automox
Patch regularly, patch often
The Secure Boot situation gives you six to nine months. Start now, slow-roll it, and you will avoid a last-minute scramble. The privilege escalation and DWM vulnerabilities are standard fare: patch promptly and enforce least privilege.
Patching only gets you so far. Pair it with permission audits, detection rules, and security training. If your patching cadence is reactive, 2026 is a good year to change that.
)
)