CVE-2026-20817

Name of the Vulnerable Software and Affected Versions Windows Error Reporting versions prior to January 2026

Description Improper handling of permissions in the Windows Error Reporting (WER) service allows an authorized local attacker to elevate privileges to NT AUTHORITYSYSTEM. The issue exists in the ALPC (Advanced Local Procedure Call) interface, which is a high-speed messaging system for local inter-process communication. Specifically, the service publishes the ALPC port 'WindowsErrorReportingService' but fails to perform authorization checks on callers within the CWerService::SvcElevatedLaunch() function. A low-privileged user can connect to this port and send a crafted message containing a handle to shared memory with an arbitrary command line. The service then processes this request and launches WerFault.exe or WerMgr.exe using a SYSTEM token, executing the attacker-controlled command.

Recommendations Apply the Microsoft January 2026 updates to resolve this issue. As a temporary workaround, restrict access to the vulnerable ALPC port 'WindowsErrorReportingService' to minimize the risk of exploitation.