CVE-2026-36213 — MEmu Android Emulator Local Privilege Escal...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/sec-zone/CVE-2026-36213
• Blog Title: CVE-2026-36213 — MEmu Android Emulator Local Privilege Escalation via Insecure Service Binary Permissions
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation -> Services / Weak Service Binary Permissions

🎯 Content Summary

The post documents CVE-2026-36213, a Windows Local Privilege Escalation vulnerability in MEmu Android Emulator 9.2.7.0 and earlier by MicroVirt. The issue is an insecure service-binary permission flaw: the Windows service MEmuSVC runs as NT AUTHORITY\SYSTEM, but its executable is writable by low-privileged local users. By replacing the service executable and restarting the service, an authenticated local attacker can...

🔧 Technical Details

Windows service binary hijacking through weak NTFS ACLs: If a Windows service runs under a privileged account such as NT AUTHORITY\SYSTEM, but the executable configured for that service is writable by low-privileged users, an attacker can replace the service binary with a malicious executable. When the service starts or restarts, the Service Control Manager executes the attacker-controlled binary using the service account privileges. The generic technique is: identify privileged services, locate their executable paths, check ACLs with icacls, look for dangerous entries such as BUILTIN\Users:(F), Everyone:(F), write/modify permissions, replace the binary, and restart the service with sc stop <service> && sc start <service>.

CVE-2026-36213 exploitation pattern: In MEmu Android Emulator, MEmuSVC executes C:\Program Files\Microvirt\MEmu\MemuServ...

🤖 Agent Actions

Updated src/windows-hardening/windows-local-privilege-escalation/README.md.

What I added:

• Better generic explanation of weak service binary ACL privesc
• Explicit triage with sc qc + icacls
• Dangerous ACL patterns: Everyone, BUILTIN\Users, Authenticated Users with (F)/(M)/(W)
• Practical abuse flow: replace binary + restart service
• Relevant automated checks:
  • Get-ModifiableServiceFile
  • SharpUp.exe audit ModifiableServiceBinaries
  • Invoke-PrivescCheck -Extended -Audit
• References to:
  • https://github.com/sec-zone/CVE-2026-36213
  • https://github.com/sec-zone/Hijack-service-binaries

Why this file:

• The primitive already existed in HackTricks, so creating a new page would be redundant.
• The best place was the existing “Services binaries weak permissions” section under Windows local privesc.

Validation:

• Reviewed the final diff.
• Verified tool/command names against upstream sources.
• mdbook build could not be run because mdbook is not installed in this environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/sec-zone/CVE-2026-36213

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation -> Services / Weak Service Binary Permissions".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0