A proof-of-concept exploit for a critical local privilege escalation vulnerability in the Windows Error Reporting (WER) service has been made public on GitHub. The vulnerability, identified as CVE-2026-20817, affects the ALPC interface of WER and allows low-privilege users to gain full system access.
Vulnerability Details
The flaw is located in the WindowsErrorReportingService port and the SvcElevatedLaunch method (method 0x0D), which fail to properly validate caller permissions. This oversight enables an authenticated user with low privileges to exploit the service by launching WerFault.exe with malicious command-line arguments from shared memory. The resulting process inherits the SYSTEM token, granting extensive privileges such as SeDebugPrivilege and SeImpersonatePrivilege.
Exploitation Process
The exploit involves creating shared memory with a malicious command line, connecting to the WER ALPC port, and sending an ALPC message using method 0x0D. This message includes the client PID, shared memory handle, and command length. Consequently, WER duplicates the handle and executes WerFault.exe with the provided command line.
Affected Systems and Mitigation
Systems impacted by this vulnerability include Windows 10 and Windows 11 versions prior to January 2026, as well as Windows Server 2019 and 2022. Microsoft has addressed the issue in the January 2026 Security Update. Organizations are urged to apply these patches immediately and to monitor for any unusual activity involving WerFault.exe processes or SYSTEM token behaviors to prevent exploitation.
Comments (0)