CVE-2026-39973: Arbitrary File Write via Path Traversal in Apktool
Vulnerability ID: CVE-2026-39973
CVSS Score: 7.1
Published: 2026-04-23
Apktool versions 3.0.0 and 3.0.1 contain a high-severity path traversal vulnerability due to a security regression in resource decoding. By crafting a malicious APK with a modified resources.arsc file, an attacker can escape the intended output directory, leading to arbitrary file write and potential remote code execution on the analyst's machine.
TL;DR
A security regression in Apktool 3.0.0/3.0.1 allows attackers to craft malicious APKs that perform arbitrary file writes during decoding, potentially leading to RCE on the host system.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Local (Requires user interaction)
- CVSS: 7.1
- EPSS: 0.00014 (2.78%)
- Impact: Arbitrary File Write / RCE
- Exploit Status: PoC-level
- KEV Status: Not Listed
Affected Systems
- Apktool 3.0.0
- Apktool 3.0.1
-
Apktool: 3.0.0 - 3.0.1 (Fixed in:
3.0.2)
Code Analysis
Commit: e10a045
Regression introduced during refactor
Commit: 65dd848
Patch implementing strict whitelisting for resource type names
Exploit Details
- GitHub Security Advisory: Exploit maturity documented as PoC-level in technical advisory
Mitigation Strategies
- Upgrade to Apktool 3.0.2 or higher
- Execute Apktool inside ephemeral containers or isolated VMs
- Implement File Integrity Monitoring (FIM) for sensitive host directories
Remediation Steps:
- Verify the current Apktool version using the command
apktool -version - Download Apktool 3.0.2 from the official GitHub releases page
- Replace the existing
apktool.jarwith the updated binary in the executable path - Verify the update by running the version check command again
References
- GHSA-m8mh-x359-vm8m
- Regression Commit
- Fix Commit (Whitelisting)
- Pull Request #4041
- NVD Record CVE-2026-39973
Read the full report for CVE-2026-39973 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)