CVE-2019-0863

HIGH KEV

Windows Error Reporting - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0863 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including SandboxEscaper.

AI-analyzed exploit summary This exploit leverages a race condition in the Windows Error Reporting (WER) service to arbitrarily write DACLs to files, achieving local privilege escalation (LPE). The PoC involves creating a junction point, triggering the WER reporting queue, and replacing a file with a hardlink during a small timing window between GetFileSecurity and SetFileSecurity calls.

Description

An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

Exploits (1)

exploitdb WORKING POC
by SandboxEscaper · textlocalwindows
https://www.exploit-db.com/exploits/46917

This exploit leverages a race condition in the Windows Error Reporting (WER) service to arbitrarily write DACLs to files, achieving local privilege escalation (LPE). The PoC involves creating a junction point, triggering the WER reporting queue, and replacing a file with a hardlink during a small timing window between GetFileSecurity and SetFileSecurity calls.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows Error Reporting (WER) service (Windows 10 and possibly others)
No auth needed
Prerequisites: Local access to the system · Ability to create junction points and hardlinks · Multiple processor cores for timing reliability
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0521
EPSS Percentile 91.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-05-14
InTheWild.io 2019-05-14
ENISA EUVD EUVD-2019-1612
Status published
Products (17)
microsoft/windows_10_1507 (2 CPE variants)
microsoft/windows_10_1607 (2 CPE variants)
microsoft/windows_10_1703 (2 CPE variants)
microsoft/windows_10_1709 (3 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
... and 7 more
Published May 16, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026