Listen to this Post
How the CVE works (CVE-2026-39973)
The vulnerability stems from a security regression introduced in Apktool version 3.0.0 via commit e10a045 (PR 4041) on December 12, 2025. This commit inadvertently removed the `BrutIO.sanitizePath()` call from brut/androlib/res/decoder/ResFileDecoder.java, a function previously responsible for neutralizing path traversal attempts in resource file output paths.
During standard APK decoding with the command apktool d, the tool processes various components of an Android package. The vulnerable component is the resource file decoder, which handles file paths extracted from the APK’s resource table (resources.arsc). An attacker can embed directory traversal sequences like `../` into the Type String Pool of the resources.arsc文件. The absence of sanitization means these raw, unvalidated paths are directly passed to the filesystem for write operations.
Consequently, a malicious APK can escape the designated output directory and overwrite or create files anywhere on the victim’s system. The write operation inherits the privileges of the user running Apktool. If a developer or security researcher with standard user privileges decodes a booby-trapped APK, the attacker can write files to sensitive locations such as `~/.ssh/config` (to hijack SSH connections), `~/.bashrc` (to execute malicious code on shell startup), or Windows Startup folders (to achieve persistence).
Because arbitrary file write is a stepping stone to remote code execution (RCE), this vulnerability is considered High severity. The flaw affects Apktool versions 3.0.0 and 3.0.1. The issue was fixed in version 3.0.2 by re-introducing the `BrutIO.sanitizePath()` call to validate all paths before file write operations.
dailycve form
Platform: Apktool
Version: 3.0.0/3.0.1
Vulnerability : Path Traversal
Severity: High
date: 2026-04-21
Prediction: Patch 2026-04-23
What Undercode Say:
Analytics show widespread use of Apktool in CI/CD pipelines, malware analysis sandboxes, and Android reverse engineering workflows. Many organizations automatically decode APKs without path sanitization, leaving them exposed.
Bash Command to Detect Vulnerable Version:
apktool --version | grep -E "3.0.[bash]" && echo "VULNERABLE: CVE-2026-39973"
Code Snippet Showing Vulnerable Code Path (Conceptual):
// Vulnerable code in ResFileDecoder.java (version 3.0.1)
public void decode(File outDir, String pathFromArsc) {
// pathFromArsc could be "../../../.ssh/config"
File outputFile = new File(outDir, pathFromArsc);
// No sanitization, file written outside outDir
writeFile(outputFile);
}
Code Snippet Showing the Fix (version 3.0.2):
// Patched code in ResFileDecoder.java (version 3.0.2)
public void decode(File outDir, String pathFromArsc) {
String sanitizedPath = BrutIO.sanitizePath(pathFromArsc);
File outputFile = new File(outDir, sanitizedPath);
writeFile(outputFile);
}
Exploit:
Scenario: An attacker creates an APK where a resource path inside `resources.arsc` is set to ../../../.ssh/authorized_keys. When a victim runs `apktool d malicious.apk` in their home directory, Apktool writes the attacker’s SSH public key to /home/victim/.ssh/authorized_keys, granting the attacker SSH access.
Protection from this CVE
- Immediate: Upgrade to Apktool version 3.0.2 or later.
- Mitigation: Avoid decoding untrusted APK files with Apktool 3.0.0/3.0.1. Use a different tool or run Apktool inside an isolated sandbox (e.g., Docker, VM).
- Detection: Monitor filesystem for unexpected writes outside the intended output directory during Apktool execution.
Impact
- Arbitrary File Write: Attacker writes any file anywhere on the system (subject to user permissions).
- Remote Code Execution (RCE): By overwriting
~/.bashrc,~/.ssh/config, or Windows Startup scripts, the attacker achieves persistent code execution. - Supply Chain Risk: A malicious APK in a public repository could compromise developers’ workstations and build servers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

