CVE-2026-39973
Published: 21 April 2026
Summary
CVE-2026-39973 is a high-severity Path Traversal (CWE-22) vulnerability in Apktool Apktool. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching Apktool to version 3.0.2 directly eliminates the path traversal vulnerability by restoring path sanitization.
Requires validation of untrusted inputs from APK resources.arsc string pools to block ../ traversal sequences before filesystem writes.
Performs software integrity checks and monitors for unauthorized file modifications resulting from path traversal exploitation during decoding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in APK decoding enables arbitrary file writes from a malicious APK (facilitating T1204.002 Malicious File when victim runs apktool d), which directly supports persistence via writes to Windows startup folders (T1547.001) or Unix shell configs like .bashrc (T1546.004).
NVD Description
Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is…
more
a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.
Deeper analysisAI
CVE-2026-39973 is a path traversal vulnerability (CWE-22) affecting Apktool versions 3.0.0 and 3.0.1, a tool used for reverse engineering Android APK files. The issue resides in the `brut/androlib/res/decoder/ResFileDecoder.java` component and enables a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding operations with the `apktool d` command. This flaw represents a security regression introduced by commit e10a045 (PR #4041, dated December 12, 2025), which removed the `BrutIO.sanitizePath()` call previously used to prevent path traversal in resource file output paths. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability locally by providing a victim with a specially crafted APK containing `../` sequences embedded in the `resources.arsc` Type String Pool. If the victim, such as a security researcher or reverse engineer, runs `apktool d` on the malicious APK, it escapes the intended output directory and writes files to arbitrary locations on the filesystem. Potential targets include sensitive paths like `~/.ssh/config`, `~/.bashrc` on Unix-like systems, or Windows Startup folders, potentially leading to remote code execution (RCE) through privilege escalation or persistent access.
Mitigation is available via upgrade to Apktool version 3.0.2, which re-introduces the `BrutIO.sanitizePath()` function in `ResFileDecoder.java` prior to file write operations. Official advisories and resources, including the GitHub security advisory (GHSA-m8mh-x359-vm8m), release notes for v3.0.2, the original pull request #4041, and the regressing commit e10a045, detail the issue and fix for practitioners to review and apply.
Details
- CWE(s)