CVE-2026-36213
Received Received - Intake
Privilege Escalation in MEmu Android Emulator

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-36213
EUVD
EUVD-2026-36745
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microvirt memu_android_emulator to 9.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-36213 is a Local Privilege Escalation vulnerability in the MEmu Android Emulator version 9.2.7.0 and earlier. The issue occurs because the MEmuService.exe binary, which is part of the MEmuSVC service running with SYSTEM privileges, has insecure NTFS permissions. Specifically, the binary is world-writable, allowing any local user to modify or replace it.

An attacker can exploit this vulnerability by replacing the legitimate MEmuService.exe binary with a malicious executable. When the service restarts, the malicious code runs with SYSTEM-level privileges, effectively escalating the attacker's privileges on the system.

This vulnerability has been assigned a CVSS v3.1 score of 7.8 (HIGH) due to its local attack vector, low complexity, and low required privileges.

Impact Analysis

This vulnerability allows a local attacker to escalate their privileges to SYSTEM level on a machine running the vulnerable MEmu Android Emulator. This means an attacker with limited access could gain full control over the affected system.

  • Execution of arbitrary code with SYSTEM privileges.
  • Potential full compromise of the affected system.
  • Ability to bypass security restrictions and access sensitive data or system resources.
  • Installation of persistent malware or backdoors.
Detection Guidance

This vulnerability can be detected by checking the NTFS permissions of the MEmuService.exe binary to see if the "Users" group and "Everyone" have Full Control permissions, which makes the binary world-writable.

A detection script is available on GitHub to identify such insecure configurations.

  • Use the command to check permissions on the binary (example for Windows): icacls "path\to\MEmuService.exe"
  • Look for entries granting Full Control (F) to "Users" or "Everyone".
Mitigation Strategies

The immediate mitigation is to update the MEmu Android Emulator to version 9.3.2 or later, where this vulnerability is patched.

Alternatively, restrict the NTFS permissions on the MEmuService.exe binary to remove Full Control permissions from the "Users" and "Everyone" groups, ensuring only trusted accounts have write access.

After fixing permissions, restart the MEmuSVC service to ensure no malicious binary is running.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart