CVE-2026-20817

HIGH

Windows Error Reporting - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-20817. PoCs published by oxfemale, dwgth4i, XZ1r0.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in Windows Error Reporting (WER) service. The exploit leverages improper handling of ALPC messages to execute arbitrary commands as SYSTEM via crafted messages with shared memory.

Description

Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

Exploits (3)

github WORKING POC 1 stars
by oxfemale · c++poc
https://github.com/oxfemale/CVE-2026-20817

The repository contains a functional proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in Windows Error Reporting (WER) service. The exploit leverages improper handling of ALPC messages to execute arbitrary commands as SYSTEM via crafted messages with shared memory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Error Reporting Service (pre-January 2026)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Unpatched Windows Error Reporting Service
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by dwgth4i · poc
https://github.com/dwgth4i/CVE-2026-20817

This repository contains a functional exploit PoC for CVE-2026-20817, targeting a local privilege escalation (LPE) vulnerability in the Windows Error Reporting Service (WerSvc) via ALPC port manipulation. The exploit crafts a malicious ALPC message to inject a controlled command-line argument into a SYSTEM-level WerFault.exe process.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Error Reporting Service (WerSvc)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · WerSvc running
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/windows/CVE-2026-20817

This repository contains a functional proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in Windows Error Reporting (WER) service. The exploit leverages improper handling of ALPC messages to execute arbitrary commands as SYSTEM via crafted messages with shared memory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Error Reporting (WER) service on Windows 10/11, Server 2019/2022 (pre-January 2026)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Ability to execute code as a low-privileged user
devstral-2 · analyzed May 21, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0008
EPSS Percentile 23.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-280
Status published
Products (18)
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.6809
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.6809
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6491
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6491
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.7623
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.7623
Microsoft/Windows Server 2022 10.0.20348.0 - 10.0.20348.4648
Microsoft/Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.0 - 10.0.25398.2092
Microsoft/Windows Server 2025 10.0.26100.0 - 10.0.26100.32230
Microsoft/Windows Server 2025 (Server Core installation) 10.0.26100.0 - 10.0.26100.32230
... and 8 more
Published Jan 13, 2026
Tracked Since Feb 18, 2026