CVE-2026-36213: An issue in Microvirt MEmu Android Emulator 9
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A privilege escalation vulnerability affects Microvirt MEmu Android Emulator version 9.2.7.0 via its MemuService.exe component. The attacker requires only a low-privilege local account and no network access to trigger the flaw. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the affected host. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.
HarborGuard Coverage
Detection of CVE-2026-36213 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle MEmu or related components.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.8 (HIGH) and weighting it against each environment's compliance policy, routing alerts to the appropriate team inbox within each customer organization.
AvailableBecause no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to attempt the exploit; no elevated or administrative credentials are needed.
- Victim interactionNot required
No user interaction is required; the attacker can execute the attack entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.
Blast Radius
- A successful attacker reads all data accessible on the host, including credentials, session tokens, and application files stored by MEmu or co-located software.
- A successful attacker modifies or deletes files, configuration, and persisted application data on the host.
- A successful attacker crashes or permanently disrupts services running on the host, including MemuService.exe and any dependent processes.
- Because the escalation reaches a high privilege level, the attacker can install backdoors or alter system binaries to maintain persistent access.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-36213 is active across all environments that scan images containing the affected MEmu 9.2.7.0 components, with results available within minutes of advisory ingestion. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle. In the interim, customers can apply compensating controls through network-policy isolation to restrict lateral movement from any host running MEmu, enforce least-privilege process execution to limit the accounts that can interact with MemuService.exe, and use feature-flag or deployment policy gating to disable or quarantine images that include the affected emulator. The moment an upstream fix is published, a patched-image rebuild will become available on HarborGuard, and for customers with auto-remediation enabled, the rebuild, regression test run, and PR opened against affected workloads will follow automatically.
- n/a / n/an/a
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H