Microsoft’s January 2026 Patch Tuesday addressed 114 CVEs across Windows, Office, Exchange, SharePoint, Azure, Hyper-V, .NET, and Visual Studio, including three zero-days confirmed as actively exploited or publicly disclosed prior to patch release; Adobe released concurrent updates covering Creative Cloud and Acrobat products. Specific CVE identifiers and CVSS scores for the three zero-days are not extractable from the available aggregated source metadata and must be confirmed directly from Qualys, ZDI, or CrowdStrike analyses before prioritization. Organizations should accelerate patching of the zero-days to a 72-hour or faster SLA, review Exchange IIS logs and Hyper-V management activity for pre-patch compromise indicators, and extend patching scope to Adobe products — Acrobat and Reader vulnerabilities are commonly exploited via document-based phishing chains.