Microsoft shares 112 vulnerabilities it addressed in January, which is 68 fewer than this time last year

Microsoft releases a list of all the bugs it knows about in Windows 11 every month, and the first of the year reveals over 100 of the pesky lil' guys in the popular operating system.

Microsoft has fixed 112 vulnerabilities in its own services and has flagged a further three in non-Microsoft products. Those products are all linked to Microsoft, like the Windows Motorola Soft Modem Driver or Agere Windows Modem Driver. Usually, the addressing of vulnerabilities can go from an official fix to recommended mitigations, but 111 of those this month have an official fix, with one having a temporary fix.

That sounds like a high number of vulnerabilities but it's actually a fairly large drop from this time last year, which saw 165 Microsoft vulnerabilities and 18 from non-Microsoft products. That's 115 versus 183. In December, Microsoft addressed just 65 vulnerabilities, 18 from non-Microsoft services.

The majority of this month's vulnerabilities are considered less likely or unlikely to be exploited, with eight considered "more likely". Every vulnerability in the 'more likely' category has been given a severity score of 7.8/10.

The highest severity issues are both logged at 8.8. The first is a way of executing code remotely by "tricking a domain-joined user into sending a request to a malicious server via the Routing and Remote Access Service (RRAS) Snap-in". The second is also about executing code remotely; this time, one with Site Member permissions could get access via a SharePoint Server.

Last January saw a vulnerability with a whopping 9.9 CVSS, though that was mitigated by Microsoft before the release went live. It allowed users to bypass authentication in the Azura AI Face service, which could allow an attacker to elevate privileges over a network.

It's worth noting that a high severity score doesn't mean that just anyone can take over your PC tomorrow. Score tends to be a mixture of ease with which a bad actor can exploit it, and the types of privileges that bad actors would be granted from it. You can find vulnerabilities with very high scores that are niche or hard to pull off. For instance, just last week, Asus urged users to update MyAsus because of an 8.5 security vulnerability, as one could inject code without permission, but this required local access.

This is all to say that vulnerabilities, even high-severity ones, are relatively normal. The best thing that can be done is flag them when found and update your software when a company urges you to do so. This is one of the many problems you run into using an out-of-date OS.

As Windows 10 support ended for most people last year, so too did necessary safety updates to mitigate security vulnerabilities—unless you signed up for extended updates. It's a good reminder of how much work goes into security updates and how many we can expect to see Microsoft working on at any one time—and also how many crop up each and every month.

Best gaming rigs 2026

1. Best gaming laptop: Razer Blade 16

2. Best gaming PC: HP Omen 35L

3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.

4. Best mini PC: Minisforum AtomMan G7 PT

5. Best VR headset: Meta Quest 3

👉Check out our list of guides👈