Proof-of-Concept Released: Public Exploit Details for Windows Error Reporting LPE (CVE-2026-20817)
Ddos 
Researcher Clément Labro published a deep-dive analysis and a functional Proof-of-Concept (PoC) exploit for a critical security flaw in the Windows Error Reporting (WER) service. The vulnerability, tracked as CVE-2026-20817, is a local privilege escalation (LPE) bug that could allow an attacker to jump from a standard user account to full SYSTEM privileges.
What makes this discovery particularly urgent for IT administrators is that the inner workings of the exploit are now entirely in the public domain. Labro’s analysis provides a “straightforward” roadmap of how the vulnerability functions and how it can be triggered using Windows internal communication channels.
The vulnerability was discovered by researchers Denis Faiustov and Ruslan Sayfiev. According to Labro’s report, the flaw was so severe that Microsoft’s fix didn’t just patch the code—it eliminated the feature entirely.
“This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature”.
The issue resides in a function called SvcElevatedLaunch within the WerSvc.dll file. By sending a specially crafted Advanced Local Procedure Call (ALPC) message to the WER service, an attacker can trick the system into launching a process with elevated permissions.
The technical breakdown reveals that the WER service creates an ALPC server named \WindowsErrorReportingServicePort. An attacker can connect to this port and send a message containing a “File Mapping” object. This object contains command-line arguments that the service then uses to start WerFault.exe as SYSTEM.
Key findings from the analysis include:
- User Control: While the attacker cannot choose which program runs (it is hardcoded to WerFault.exe), they have “full control over the command line options” passed to that program.
- ALPC Abuse: Sending the malicious message is “rather simple” once the message format is understood.
- Stealth Tactics: The service even attempts to “spoof the client’s PID” to make the new elevated process appear as a child of the attacker’s low-privilege process.
To prove the severity of the risk, Labro has released a functional Proof-of-Concept on GitHub. While the current PoC focuses on triggering the execution rather than achieving full arbitrary code execution, it provides the foundation for more dangerous exploits.
“It only triggers the WerFault.exe command line execution as SYSTEM with a user-controlled buffer… It does not try to actually gain arbitrary code execution. Further work is required to achieve this result”.
Microsoft addressed this vulnerability in the January 2026 Patch Tuesday update. The patch (version 10.0.26100.7623 or later) effectively disables the vulnerable SvcElevatedLaunch function, returning an error code (0x80004005) whenever it is called.
Organizations are urged to verify that all Windows endpoints have applied the January 2026 cumulative updates. With the PoC code publicly available, the likelihood of exploitation in the wild is significantly higher.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
