Clément LabroThis is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.
👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/
Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.
TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷♂️
CVE-2026-20817 - Windows Error Reporting Service EoP
This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially.