Patch Monday January 2026 - Fairly Standard Month; Zoom Critical Update

Unsubscribe

Welcome to our first Patch Monday newsletter of 2026.

Adobe started the year off with a long product list of updates. Most of these were fairly normal with the exception of CVE-2025-66515 for Adobe ColdFusion. This update is rated "Critical Priority 1". According to Adobe that means this arbitrary code execution vulnerability should be updated ASAP, for example, within 72 hours.

If you're a regular reader, you'll notice that Apple is missing from the chart below. On January 26 they released iOS and iPadOS updates across their supported devices. These are not listed in the chart below because these updates had no published CVE entries on Apple's security releases/updates page.

Mozilla had its regular updates in the past 30 days as well. Zoom had our highest rated CVSS update for the past 30 days. CVE-2026-22844 is rated 9.9 and Critical for CVSS score and severity. If you are using Zoom Node Hybrid or Meeting Connector then you will want to make sure your admins update to the latest available MMR version as soon as possible.

Google released three updated versions in the past 30 days that fixed 12 vulnerabilities with 5 of these rated "High". So, you will want to make sure those browsers get restarted and updated.

All in all, it was a pretty standard month. If there are any additional products you would like to see in the chart below, please let me know.

Be sure to browse the chart below and happy patching!

Follow randyfsmith on X

Subscribe to Randy Franklin Smith on Facebook

So, without further ado, here’s the chart of non-Microsoft 3rd party patches that affect Windows platforms in the past month.

Patch data provided by:

Identifier

Vendor/
Product

Affected Versions

Date Released
by Vendor

Vulnerability Info

Vender Severity / Our Recommendation

CVE-2026-21283

Adobe Bridge

15.1.1 (LTS) and earlier

16.0 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2025-66516

Adobe ColdFusion

2023 Update 17 and earlier

2025 Update 5 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 1: Update within 72 hours

Multiple CVE's

Adobe Dreamweaver

21.6 and earlier

1/13/2026

 Arbitrary Code Execution,
Arbitrary File System Write

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Illustrator

2025 29.8.3 and earlier

2026 30.0 and earlier

1/13/2026

 Application Denial of Service,
Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2026-21281

Adobe InCopy

21.0 and earlier

19.5.5 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multipe CVE's

Adobe InDesign

21.0 and earlier

19.5.5 and earlier

1/13/2026

 Arbitrary Code Execution,
Memory Exposure

Critical Priority 3: Update at admins discretion

CVE-2026-21308

Adobe Substance 3D Designer

15.0.3 and earlier

1/13/2026

 Memory Leak

Important Priority 3: Update at admins discretion

Multiple CVE's

Adobe Substance 3D Modeler

1.22.4 and earlier

1/13/2026

 Application Denial of Service,
Arbitrary Code Execution,
Memory Exposure

Critical Priority 3: Update at admins discretion

CVE-2026-21305

Adobe Substance 3D Painter

11.0.3 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2026-21306

Adobe Substance 3D Sampler

5.1.0 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2026-21287

Adobe Substance 3D Stager

3.1.5 and earlier

1/13/2026

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Google
Chrome

Before 144.0.7559.96*.97 (Windows/Mac)

Before 144.0.7559.96 (Linux)

1/20/2026

 Inappropriate Implementation,
Incorrect Security,
Insufficient Policy,
Insufficient Validation,
Out of Bounds Write/Read,
Race Condition,
Use After Free		 Update after testing

Multiple CVE's

Mozilla Thunderbird

Before 147

1/13/2026

 Arbitrary Code Execution,
Clickjacking,
Denial of Service,
Information Disclosure,
Sandbox Escape,
Security Feature Bypass,
Spoofing,
Use After Free

Update after testing

Multiple CVE's

Mozilla Firefox

Before 147

1/13/2026

 Arbitrary Code Execution,
Clickjacking,
Denial of Service,
Information Disclosure,
Sandbox Escape,
Security Feature Bypass,
Spoofing,
Use After Free

Update after testing

Multiple CVE's

Mozilla Firefox ESR

Before 140.7

1/13/2026

 Arbitrary Code Execution,
Clickjacking,
Information Disclosure,
Sandbox Escape,
Security Feature Bypass,
Spoofing,
Use After Free

Update after testing

CVE-2026-22844

Zoom Node Deployments

Meetings Hybrid (ZMH) MMR module before 5.2.1716.0

Meeting Connector (MC) MMR module before 5.2.1716.0

1/20/2026

 Command Injection

Critical - Update after testing

Thanks as always for reading and best wishes on security,

Randy Franklin Smith

Follow randyfsmith on Twitter Subscribe to Randy Franklin Smith on Facebook

Click here to unsubscribe

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2026 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.

9450 SW Gemini Drive #53822, Beaverton, OR 97008

Note: We do our best to provide quality information and expert commentary but use all information at your own risk.