This is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.

👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/

Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.

TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷‍♂️

Hello Mastodon!

Since this is my first post, I thought I'd share some incredibly niche C++ trivia / pedantry:

For an enum whose enumerators all have the value 0, C++ asks us to imagine a hypothetical integer type with minimal width that can represent 0 (https://eel.is/c++draft/dcl.enum#8.sentence-2). This means we must consider the case where the width is 0. For an unsigned integer type, this gives a range of representable values of [0, 0], and that's the type we pick. But before we can determine that that's minimal, we must also consider a signed integer type with a width of 0, for which we get a range of representable values of [-½, -½]! (https://eel.is/c++draft/basic.fundamental#1.sentence-5) Conveniently that range does not include 0, so we discover that we must use an unsigned integer type to determine the range of values of the enumeration. (We also rule out an unsigned integer type of negative width as that would have a range of values 0 to -½ (inclusive) or smaller, which I think we can reasonably conclude is an empty range despite the parenthetical.)

In any case: if you ever wondered whether a zero-bit signed integer type in C++ can represent only the value 0 or only the value -1, now you know: no, it can represent only the value -½. Truly a marvelous compromise.

Follow me for more brilliant insights like this one :)

🚨 We are extending the deadline for our Volume 5 Call For Papers and its Rootkit Competition!

Check out the updated dates below:

→ https://tmpout.sh/blog/vol5-cfp.html (until May 1st 2026)
→ https://tmpout.sh/blog/vol5-rootkit-competition.html (until May 31st 2026)

We are looking forward to reading your work!

Reflecting on route home from @1ns0mn1h4ck, where I predominantly focussed on technical talks after giving our first public iteration of our binary instrumentation with Frida training.

Most researchers rarely mentioned AI usage, but were often asked about this during post talk QA, where the answer was almost always along the lines of “it’s pretty bad at $this”.

In some cases there were hints that LLMs helped speed up some of the grunt work, but for anything novel, the human did the work.

This makes me wonder a bit about offensive research and the extreme automation push were facing as a whole. I worry how we are going to keep the energy to push beyond a perceived knowledge ceiling, especially when you know you need to sometimes be unreasonably persistent for good research outcomes, all while not being distracted by LLMs and their force multiplier effect.

That said, I’m encouraged to see people push that noise out of the way and continue to figure out how stuff really works, even though most of us are less sure of what the future looks like.

When I first watched War Games (1983) I thought "wow, so weird, not only they had terrible password management, but their test 'AI' system was directly linked to the prod".

Ha-ha.