CVE-2026-39973
Path Traversal in Apktool ResFileDecoder Enables Arbitrary File Write
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apktool | apktool | From 3.0.0 (inc) to 3.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39973 is a path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1. Apktool is a tool used for reverse engineering Android APK files. The vulnerability exists because a security check that sanitized file paths was removed, allowing a maliciously crafted APK to write files outside the intended output directory during the decoding process.
Specifically, an attacker can embed '../' sequences in the resources.arsc Type String Pool to escape the output directory and write arbitrary files anywhere on the filesystem, such as user configuration files (~/.ssh/config, ~/.bashrc) or Windows Startup folders. This can lead to remote code execution (RCE).
The issue was introduced in commit e10a045 (December 12, 2025) which removed the path sanitization call BrutIO.sanitizePath(). The vulnerability was fixed in version 3.0.2 by reintroducing this sanitization before writing files.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write arbitrary files to your filesystem when you decode a malicious APK using vulnerable versions of Apktool (3.0.0 or 3.0.1).
By writing files to sensitive locations such as ~/.ssh/config or ~/.bashrc, an attacker can escalate privileges or execute arbitrary code on your system, potentially leading to remote code execution (RCE).
The attack requires local access to run Apktool on a crafted APK and user interaction to decode the APK, but no special privileges are needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is specific to Apktool versions 3.0.0 and 3.0.1 during the decoding process of Android APK files. Detection involves identifying if Apktool is being used to decode potentially malicious APKs that exploit the path traversal flaw.
Since the vulnerability allows crafted APKs to write files outside the intended output directory by embedding "../" sequences in the resources.arsc Type String Pool, detection can focus on monitoring file system writes during Apktool decoding for unexpected file creations outside the target directory.
Suggested commands to detect exploitation attempts include:
- Monitor Apktool decoding logs or run Apktool with verbose/debug output to check for warnings or errors related to file path sanitization.
- Use file system monitoring tools (e.g., inotifywait on Linux) to watch for unexpected file writes outside the Apktool output directory during decoding.
- Search for suspicious files such as ~/.ssh/config, ~/.bashrc, or Windows Startup folder files created or modified during Apktool operations.
- Example command to monitor file writes on Linux during Apktool decoding:
- inotifywait -m -r -e create,modify --format '%w%f' /path/to/apktool/output
- Additionally, scanning APK files for embedded "../" sequences in resource names or strings might help identify malicious APKs before decoding.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Apktool to version 3.0.2 or later, where the vulnerability is fixed by reintroducing the BrutIO.sanitizePath() method to properly sanitize file paths before writing.
If upgrading immediately is not possible, avoid decoding untrusted or suspicious APK files with vulnerable Apktool versions (3.0.0 and 3.0.1).
Additional steps include:
- Run Apktool decoding in a restricted environment or sandbox to limit potential damage from arbitrary file writes.
- Monitor file system changes during Apktool operations to detect unexpected file creations outside the intended output directory.
- Review and validate APK files before decoding to detect suspicious path traversal patterns in resource names.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39973 is a path traversal vulnerability in Apktool that allows malicious APK files to write arbitrary files to the filesystem outside the intended output directory. This can lead to unauthorized modification of sensitive files such as ~/.ssh/config or ~/.bashrc, potentially escalating to remote code execution.
Such unauthorized file writes and potential remote code execution can compromise the confidentiality and integrity of systems processing APK files, which may impact compliance with standards like GDPR and HIPAA that require protection of sensitive data and system integrity.
Specifically, the vulnerability's ability to write arbitrary files and escalate privileges could lead to data breaches or unauthorized access, violating requirements for data protection and security controls mandated by these regulations.
The vulnerability was fixed in Apktool version 3.0.2 by reintroducing path sanitization to prevent directory traversal and arbitrary file writes, thereby mitigating these compliance risks.