A public exploit has been released for MEmu Android Emulator version 9.2.7.0. Tracked as CVE-2026-36213, this is a local privilege escalation vulnerability with a CVSS score of 7.8.
The problem is straightforward. MEmu installs a Windows service called “MEmuSVC” that runs with NT AUTHORITY\SYSTEM privileges. But the service binary at C:\Program Files\Microvirt\MEmu\MemuService.exe has insecure NTFS permissions. Both BUILTIN\Users and Everyone groups have FullControl access.
That means any low-privileged user on the machine can replace the service binary with a malicious one. When the service restarts, the malicious code executes with SYSTEM-level privileges. Full system compromise from a standard user account.
Researcher Mohammad discovered the flaw in February 2026. Microvirt was notified in June. The exploit was publicly disclosed on June 16. At this point, details and proof-of-concept code are publicly available on Exploit-DB.
If you’re running MEmu 9.2.7.0, check for updates from Microvirt. And verify permissions on the MemuService.exe binary — if BUILTIN\Users or Everyone show (F), you’re vulnerable.
