Friday, April 17, 2026

Posted by on

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)

 



January 2026 Windows Updates brought a patch for CVE-2026-20817, a local privilege elevation vulnerability in Windows Error Reporting Service, allowing a local non-admin attacker to execute arbitrary code as Local System user.

The vulnerability was found and reported to Microsoft by Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae. Subsequently, security researcher Clément Labro reverse-engineered Microsoft's patch and posted their analysis, accompanied with a proof-of-concept. These allowed us to reproduce the issue and create patches for users of Windows systems that are no longer receiving official Microsoft patches.

 

The Vulnerability 

The vulnerability is in what seems to be an unneeded SvcElevatedLaunch function that allows any local user to have Windows Error Reporting Service launch WerFault.exe with arbitrary arguments as Local System.

 

Microsoft's Patch

Microsoft patched this issue by removing the SvcElevatedLaunch function.

 

Our Patch

Our patch is identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v22H2 - fully updated
  2. Windows 11 v21H2 - fully updated
  3. Windows 10 v22H2 - fully updated
  4. Windows 10 v21H1 - fully updated
  5. Windows 10 v20H2 - fully updated
  6. Windows 10 v2004 - fully updated
  7. Windows 10 v1909 - fully updated
  8. Windows 10 v1809 - fully updated
  9. Windows 10 v1803 - fully updated
  10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
  12. Windows Server 2012 - fully updated with no ESU or ESU 1
  13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 


Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae for finding this vulnerability, and Clément Labro for publishing their analysis and proof-of-concept, which allowed us to create a patch for legacy Windows users.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here

To learn more about 0patch, please visit our Help Center.

 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)