CVE-2026-20817

Name of the Vulnerable Software and Affected Versions Windows versions prior to January 2026 patches

Description A flaw exists in the Windows Error Reporting Service (wersvc.dll) that allows a low-privileged user to exploit the ALPC (Asynchronous Procedure Call) interface. This allows the spawning of processes with near-SYSTEM-level privileges, leading to local privilege escalation to NT AUTHORITYSYSTEM. The root cause is a missing authorization check within the Windows Error Reporting service. Specifically, the service publishes an ALPC port without verifying client permissions. The

SvcElevatedLaunch

function lacks privilege validation, enabling a low-privileged user to send an ALPC message containing a shared memory descriptor with an arbitrary command string. The service then duplicates the memory, reads the command string without validation, and, if unable to obtain a client token, falls back to creating a restricted SYSTEM token. This token retains critical privileges like SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege. Consequently, processes like WerFault.exe or WerMgr.exe are launched with SYSTEM privileges and the controlled command string. Successful exploitation results in full system compromise through local code execution with SYSTEM rights. The vulnerability affects all Windows systems globally.

Recommendations Apply Microsoft's January 2026 patches.