Fix CVE-2026-20817: WER Privilege Escalation

Affected Versions and Patches

A proof-of-concept exploit for CVE-2026-20817 just hit GitHub, and it's already making the rounds in security circles. This one targets the Windows Error Reporting (WER) service, specifically through an ALPC (Advanced Local Procedure Call) flaw that lets a local attacker jump straight to SYSTEM-level privileges. If you manage Windows machines in any capacity, this needs your attention right now.

What's the Vulnerability?

The Windows Error Reporting service runs as SYSTEM and uses ALPC to communicate between processes. CVE-2026-20817 exploits a flaw in how WER handles these interprocess calls. An attacker who already has local access (even as a low-privilege user) can abuse the WER service to escalate their permissions all the way to SYSTEM.

In plain terms: a standard user account can become a full administrator without triggering UAC prompts or needing any credentials.

The public PoC demonstrates the full chain from unprivileged user to SYSTEM shell. That means this isn't theoretical. It's working code, available to anyone who knows where to look.

Who's Affected?

This impacts most supported versions of Windows, including:

• Windows 10 (all supported builds)
• Windows 11 (22H2, 23H2, 24H2, 25H2)
• Windows Server 2019, 2022, and 2025

If the Windows Error Reporting service is running (it is by default on nearly every Windows installation), you're exposed.

How to Fix It

Step 1: Install the latest Windows security updates

Open Settings, go to Windows Update, and check for updates. Microsoft addressed this in their January 2026 Patch Tuesday (released January 13, 2026). Install everything available and reboot.

# Check your current patch level
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5

Step 2: Verify the WER service configuration

While you're patching, confirm the WER service isn't set to something unexpected:

Get-Service -Name WerSvc | Select-Object Name, Status, StartType

On most workstations, the start type is Manual. If you don't rely on crash reporting, you can disable it temporarily as a mitigation while patching rolls out:

# Temporary mitigation only - re-enable after patching
Set-Service -Name WerSvc -StartupType Disabled
Stop-Service -Name WerSvc -Force

Step 3: Check for signs of exploitation

Look at recent Event Viewer entries under Application for anything unusual from the WER service:

Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Windows Error Reporting'} -MaxEvents 20 |
  Select-Object TimeCreated, Id, Message | Format-Table -Wrap

Unusual spikes in WER events, especially around the time of user logins, could indicate someone testing or using this exploit.

Why This One Matters

Local privilege escalation bugs don't get the same headlines as remote code execution, but they're the bread and butter of post-compromise activity. An attacker who gets onto a machine through phishing or a drive-by download starts as a regular user. CVE-2026-20817 is exactly the kind of bug they use to go from "I'm on the box" to "I own the box."

The public PoC makes this especially urgent. It lowers the skill bar significantly. You don't need to be a researcher to use it.

Bottom Line

Patch immediately. If you can't patch right away, disable the WER service as a stopgap. Monitor for unusual WER activity in your logs.

If your organization needs help rolling out patches or assessing exposure across your environment, reach out to our team for assistance.