CVE-2026-20817: Windows Error Reporting Privilege Escalation — Local to SYSTEM

CVE-2026-20817 is an elevation of privilege vulnerability affecting the Windows Error Reporting (WER) service. The issue stems from improper handling of permissions within the Advanced Local Procedure Call (ALPC) interface used by the service. This flaw allows an attacker who already has limited access to a machine (e.g., a low-privileged user or compromised service) to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. This grants them complete control over the operating system.

The vulnerability resides in wersvc.dll, specifically in how it handles inter-process communication via ALPC. The service exposes a method (SvcElevatedLaunch) that is intended to handle crash reporting tasks. Attackers can trigger this method by sending a specially crafted message that points to a shared memory block they control. Due to insufficient validation of the caller's permissions, the WER service—which runs as SYSTEM—reads the attacker's input and uses it to launch WerFault.exe (or another executable) with elevated privileges. This allows the attacker to bypass security boundaries and run commands as the most powerful user on the system.

CVSS Score: 7.8 (High) While this vulnerability requires local access (it cannot be triggered directly over the internet without an initial foothold), it is a critical post-compromise tool: • Full System Compromise: Attackers gain SYSTEM rights, allowing them to disable security software, dump credentials, and access all files. • Persistence: It allows attackers to install deep-seated backdoors that survive reboots. • Lateral Movement: High privileges make it easier to move to other machines in the network.

This vulnerability affects all supported versions of Windows prior to the January 2026 update, including: • Windows 10 (versions 21H2, 22H2, and later) • Windows 11 (all versions) • Windows Server 2019, 2022, and 2025

Microsoft has released a patch as part of the January 2026 Patch Tuesday cycle. Option 1: Windows Update (Mandatory) Ensure your systems have installed the "2026-01 Cumulative Update for Windows". • Go to Settings > Update & Security > Windows Update • Click "Check for updates" and install pending security patches. Option 2: Registry Mitigation (Temporary) If patching is not immediately possible, administrators can disable the Windows Error Reporting service via Group Policy or by setting the Start value to 4 (Disabled) in HKLM\SYSTEM\CurrentControlSet\Services\WerSvc. Note: This will stop crash reporting features.

If your endpoints are missing the January 2026 security updates, they are exposed to privilege escalation attacks. TEPTEZ can automatically scan your infrastructure to identify missing OS patches and vulnerable configurations. Our platform provides visibility into patch compliance and actionable remediation steps.