Windows Error Reporting Vulnerability Exposes Systems to Privilege Escalation, Allowing SYSTEM Access
Microsoft recently patched a severe Elevation of Privilege (EoP) vulnerability in the Windows Error Reporting (WER) service, officially tracked as CVE-2026-20817.
This flaw allows a local attacker with standard user rights to escalate to SYSTEM privileges by exploiting improper permission handling.
The vulnerability was so significant that Microsoft chose to remove the affected feature entirely rather than attempt to repair the logic.
Vulnerability Overview
- CVE Identifier: CVE-2026-20817.
- Affected Component: Windows Error Reporting service, specifically the WerSvc.dll library.
- Impact and Threat Type: Local Privilege Escalation resulting in complete SYSTEM access.
- Discoverers: Denis Faiustov and Ruslan Sayfiev from GMO Cybersecurity.
Security researchers conducting binary diffing on WerSvc.dll discovered that Microsoft’s update simply neutralizes the vulnerable function.
Comparing the unpatched and patched versions reveals that a feature test was added directly to the SvcElevatedLaunch function.
If the patch is active, the function immediately returns an error code of 0x80004005 (E_FAIL). This effectively deadcodes the vulnerable pathway, completely blocking exploitation.
The vulnerability stems from how the WER service handles Advanced Local Procedure Call (ALPC) messages. When the service starts, it creates an ALPC server listening on the \WindowsErrorReportingServicePort endpoint.
A low-privileged user can connect to this port and send a specially crafted payload with a MessageFlags value of 0x50000000, which triggers the vulnerable method.
The attacker must also pass a File Mapping object handle acting as shared memory to deliver malicious arguments.
Once the crafted ALPC message is received, the WER service opens the client’s process and duplicates the File Mapping handle.
It maps a view of this file to read the user-controlled input string. The service then creates a SYSTEM token and invokes the CreateProcessAsUserW API to launch WerFault.exe.

A functional Proof-of-Concept (PoC) was published by security researcher itm4n, demonstrating how to trigger the elevated command line execution.
Administrators should remain cautious, as fake and potentially malicious PoC repositories for CVE-2026-20817 have also surfaced on GitHub.
Fortunately, Windows Defender actively detects these actual exploitation attempts.
Because the WER service spoofs the client’s Process ID to set it as the parent of the new WerFault.exe instance, Defender flags this technique as highly suspicious and raises an alert.