Description

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.

INFO

Published Date :

2026-04-21T01:35:22.396Z

Last Modified :

2026-04-23T03:56:04.482Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39973 vulnerability.

Vendors Products
Apktool
  • Apktool
Ibotpeaches
  • Apktool
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39973.

URL Resource
https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3 cve-icon cve-icon
https://github.com/iBotPeaches/Apktool/pull/4041 cve-icon cve-icon
https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2 cve-icon cve-icon
https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact