A flaw in Windows’ Desktop Window Manager could leak sensitive system data on affected PCs and servers.
High-severity vulnerabilities also impact Microsoft Office, Azure, developer tools, and SQL Server.
Users and organisations are urged to install Microsoft’s January 2026 security updates immediately.
If you are a Windows user, you should definitely read on. CERT, India’s national cybersecurity agency under the Ministry of Electronics and Information Technology (MeitY), has issued multiple warnings to Windows users. The warnings include multiple vulnerabilities for Windows users, as well as a broader high-severity alert that covers multiple Microsoft products.
SurveyThe authority has issued a high-level advisory, warning of multiple vulnerabilities in a variety of Microsoft products, including Windows, Microsoft Office, Azure services, developer tools, and SQL Server. According to the authority, these flaws can be exploited to perform remote code execution, privilege escalation, information theft, spoofing, and denial-of-service attacks, potentially resulting in system compromise, data exfiltration, ransomware incidents, or system failure.
Windows 10, Windows 11 and Server are at risk too
In a recent advisory, CERT-In warned of an information disclosure flaw in Microsoft’s Desktop Window Manager (DWM), tracked as CIVN-2026-0021 and rated medium severity. The issue affects several versions of Windows 10, Windows 11, and Windows Server, and could allow an authenticated local attacker with low-level privileges to access sensitive data from system memory.
For the unversed, Desktop Window Manager (DWM) is a core Windows component that renders the graphical user interface. According to CERT-In, improper memory handling within DWM could expose information that could help attackers bypass protections such as Address Space Layout Randomisation (ASLR). While the flaw cannot be exploited remotely, the leaked data may serve as a stepping stone to more sophisticated attacks.
Also read: This Nvidia and SpaceX backed startup to inaugurate hotel on Moon by 2032: All details
The affected systems include Windows 10 versions 1607, 1809, 21H2 and 22H2; Windows 11 versions 23H2, 24H2 and 25H2; and Windows Server editions ranging from 2012 to 2025, including Windows Server 2022 (23H2).
How to be safe
CERT-In has urged organisations, IT administrators, and individual users to treat the advisories as urgent and immediately update to Microsoft’s latest security updates. Microsoft has already issued patches as part of its January 2026 security updates, and users should refer to Microsoft’s official security update guide for more information on affected products, CVEs, and recommended mitigations.
Follow Us
Ashish Singh
Ashish Singh is the Chief Copy Editor at Digit. He's been wrangling tech jargon since 2020 (Times Internet, Jagran English '22). When not policing commas, he's likely fueling his gadget habit with coffee, strategising his next virtual race, or plotting a road trip to test the latest in-car tech. He speaks fluent Geek. View Full Profile
