CVE-2026-36213
Description
Insecure permissions on MEmuService.exe in MEmu Android Emulator 9.2.7.0 let local users replace the binary and execute arbitrary code as SYSTEM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure permissions on MEmuService.exe in MEmu Android Emulator 9.2.7.0 let local users replace the binary and execute arbitrary code as SYSTEM.
Vulnerability
The vulnerability resides in the Windows service MemuService.exe of MEmu Android Emulator version 9.2.7.0 and earlier. The service runs as NT AUTHORITY\SYSTEM but its executable file has insecure NTFS permissions: BUILTIN\Users:(F) and Everyone:(F) grant Full Control to any local user [1]. This misconfiguration (CWE-732 / CWE-269) allows any authenticated local user to overwrite the service binary.
Exploitation
An attacker with local access to the system can exploit this vulnerability with no additional privileges. Steps: verify the insecure permissions using icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe", then replace the legitimate executable with a malicious one (e.g., copy malicious.exe "C:\Program Files\Microvirt\MEmu\MemuService.exe" /Y). Finally, restart the service using sc stop MEmuSVC && sc start MEmuSVC. The malicious binary then executes as NT AUTHORITY\SYSTEM [1].
Impact
Successful exploitation results in full system compromise. The attacker gains local privilege escalation from a low-privileged user to SYSTEM, achieving high confidentiality, integrity, and availability impact (CVSS v3.1: 7.8) [1].
Mitigation
The issue is fixed in MEmu Android Emulator version 9.3.2, released after responsible disclosure [1]. Users should update to version 9.3.2 or later. No workaround is available; the insecure permissions are inherent in the installation. The CVE is not listed on the Known Exploited Vulnerabilities catalog.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =9.2.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The MEmuService.exe binary is installed with world-writable NTFS permissions, allowing any local user to replace it and execute arbitrary code as SYSTEM."
Attack vector
A local attacker with any user-level account can replace `MemuService.exe` with a malicious binary because the file grants Full Control to all users [CWE-732]. After replacement, the attacker stops and restarts the `MEmuSVC` service via `sc stop MEmuSVC && sc start MEmuSVC`, causing the malicious binary to execute as `NT AUTHORITY\SYSTEM` [ref_id=1]. No additional authentication or configuration changes are required beyond standard local access.
Affected code
The vulnerability resides in the `MemuService.exe` binary of the MEmu Android Emulator (MicroVirt), which is installed as a SYSTEM-level Windows service (`MEmuSVC`). The binary's NTFS permissions are set to `BUILTIN\Users:(F)` and `Everyone:(F)`, making it world-writable [ref_id=1].
What the fix does
The advisory states the vulnerability is patched in MEmu Android Emulator version 9.3.2 [ref_id=1]. The patch does not show the exact diff, but the fix would involve restricting NTFS permissions on `MemuService.exe` so that only privileged users (e.g., `SYSTEM` or `Administrators`) can modify the binary, preventing low-privileged users from replacing it.
Preconditions
- authAttacker must have local user-level access to the Windows system running MEmu Android Emulator 9.2.7.0 or earlier
- configThe MemuService.exe binary must be world-writable (BUILTIN\Users:(F) and Everyone:(F))
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.