Microsoft Security Response Center Update Guide
- Chromium: CVE-2026-0908 Use after free in ANGLEon January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0907 Incorrect security UI in Split Viewon January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0905 Insufficient policy enforcement in Networkon January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0906 Incorrect security UIon January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0904 Incorrect security UI in Digital Credentialson January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0903 Insufficient validation of untrusted input in Downloadson January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0902 Inappropriate implementation in V8on January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0901 Inappropriate implementation in Blinkon January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0900 Inappropriate implementation in V8on January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- Chromium: CVE-2026-0899 Out of bounds memory access in V8on January 16, 2026 at 8:08 pm
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.
- CVE-2026-21223 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerabilityon January 16, 2026 at 8:00 am
Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass.
- CVE-2026-20960 Microsoft Power Apps Remote Code Execution Vulnerabilityon January 16, 2026 at 8:00 am
Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
- CVE-2025-64679 Windows DWM Core Library Elevation of Privilege Vulnerabilityon January 14, 2026 at 8:00 am
Updated the build numbers. This is an informational update only.
- CVE-2025-64678 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilityon January 14, 2026 at 8:00 am
Updated the build numbers. This is an informational update only.
- CVE-2026-20958 Microsoft SharePoint Information Disclosure Vulnerabilityon January 14, 2026 at 8:00 am
Updated acknowledgment. This is an informational change only.
- CVE-2026-20929 Windows HTTP.sys Elevation of Privilege Vulnerabilityon January 13, 2026 at 8:00 am
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20867 Windows Management Services Elevation of Privilege Vulnerabilityon January 13, 2026 at 8:00 am
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20872 NTLM Hash Disclosure Spoofing Vulnerabilityon January 13, 2026 at 8:00 am
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-20849 Windows Kerberos Elevation of Privilege Vulnerabilityon January 13, 2026 at 8:00 am
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20861 Windows Management Services Elevation of Privilege Vulnerabilityon January 13, 2026 at 8:00 am
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.