Windows WER Zero‑Day Patched
Microsoft released a patch for a critical Windows Error Reporting elevation‑of‑privilege bug that was being weaponized in the wild, underlining how quickly local flaws can turn into SYSTEM‑level exploits. The incident reinforces the need for rapid patch pipelines and monitoring of account and system level anomalies. (gbhackers.com)
Tracked as CVE‑2026‑20817, the WER flaw was entered into public vulnerability databases on Jan. 13, 2026, and appears in Microsoft’s January 2026 security update listings (nvd.nist.gov)). The bug stems from improper ALPC handling in the Windows Error Reporting (WerSvc) path—specifically SvcElevatedLaunch—where a low‑privileged process can supply a shared memory handle that WER duplicates and uses to launch WerFault.exe with attacker‑controlled parameters, resulting in SYSTEM escalation. (netcrook.com)) Microsoft’s January cumulative updates (example KB5073379 for Jan. 13, 2026) include fixes that map to the CVE, with vendor guidance pointing admins to those monthly rollups for affected builds. (support.microsoft.com)) Public advisory and vendor analyses list affected platforms as Windows 10/11 and recent Windows Server releases (Server 2019/2022 and later builds) when WER is enabled and prior to the January 2026 fixes. (cvefeed.io)) A public PoC for the ALPC/WER exploit was published in early March 2026 (researcher handle reported as @oxfemale), which security trackers warned materially raised exploitation risk for unpatched endpoints. (vpncentral.com)) Analysts assigned the flaw a high severity rating (CVSS in the high‑7 range) and emphasized that while exploitation requires local access, it is a classic post‑compromise privilege escalation that enables credential theft and persistent SYSTEM‑level control if chained with remote footholds. (sentinelone.com))
