A newly documented Windows vulnerability, CVE-2026-20817, impacts the Windows Error Reporting Service (WER) and enables local privilege escalation.
The issue matters because WER runs as NT AUTHORITYSYSTEM, so any mistake in its permission checks can become a direct path to full device takeover.
Researchers explain that WER listens for client requests over an ALPC port and includes a code path that can launch a helper process.
The vulnerable entry point, described as CWerService::SvcElevatedLaunch, processes a process-creation request without verifying the caller’s authorization, matching CWE-280’s “insufficient permission handling” pattern.
| Item | Detail |
|---|---|
| CVE ID | CVE-2026-20817 |
| Vulnerable component | wersvc.dll (Windows Error Reporting Service) |
| Vulnerability type | Elevation of Privilege (local) |
| CWE | CWE-280 (Improper Handling of Insufficient Permissions or Privileges) |
| CVSS v3.1 | 7.8 (High) |
In practical terms, a standard user can send a crafted request and cause WER to proceed as if the request were trusted.
78ResearchLab blog analysis further notes that WER pulls command-line data from a shared memory region controlled by the client and forwards it into the elevated process creation routine.
As a result, the attacker can keep the executable fixed to Windows components like WerFault.exe/WerMgr.exe while still fully controlling up to 520 bytes of command-line arguments.
The token creation path can also end up producing a SYSTEM-based token with SeTcbPrivilege removed, which is still powerful enough to support common post-exploitation actions.
On the remediation side, Microsoft’s mitigation described in the research disables the vulnerable launch feature using a feature flag rather than adding a permission check inside the function.
Patch guidance from January 2026 security update coverage includes CVE-2026-20817 as an elevation-of-privilege issue administrators should address quickly.
Recommended telemetry includes monitoring unusual process creation where WerFault.exe or WerMgr.exe appears with suspicious command lines and abnormal token characteristics (for example, elevated privileges present while SeTcbPrivilege is absent).
Organizations that can’t patch immediately should prioritize endpoint detections around WER-related process trees and investigate any low-privilege user activity that results in SYSTEM-context child processes tied to WER.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
