{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39973/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39973"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apktool","path-traversal","android","cve-2026-39973"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eApktool, a tool used for reverse engineering Android APK files, is vulnerable to a path traversal issue in versions 3.0.0 and 3.0.1 (CVE-2026-39973). This vulnerability resides within the \u003ccode\u003ebrut/androlib/res/decoder/ResFileDecoder.java\u003c/code\u003e component. A maliciously crafted APK can exploit this flaw during standard decoding (\u003ccode\u003eapktool d\u003c/code\u003e) to write arbitrary files to the filesystem. The vulnerability is a security regression introduced by commit e10a045 (PR #4041, December 12, 2025), which inadvertently removed the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, a crucial safeguard against path traversal attacks. By embedding \u003ccode\u003e../\u003c/code\u003e sequences in the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool, attackers can bypass directory restrictions and write files to sensitive locations, such as \u003ccode\u003e~/.ssh/config\u003c/code\u003e, \u003ccode\u003e~/.bashrc\u003c/code\u003e, or Windows Startup folders, ultimately enabling remote code execution. Apktool version 3.0.2 addresses this vulnerability by reintroducing the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e function in \u003ccode\u003eResFileDecoder.java\u003c/code\u003e, effectively mitigating the path traversal risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Android APK file.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds \u003ccode\u003e../\u003c/code\u003e sequences within the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool of the APK.\u003c/li\u003e\n\u003cli\u003eA user attempts to decode the malicious APK file using a vulnerable version of Apktool (3.0.0 or 3.0.1) via the command \u003ccode\u003eapktool d malicious.apk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the decoding process, the \u003ccode\u003eResFileDecoder.java\u003c/code\u003e component processes the \u003ccode\u003eresources.arsc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, the \u003ccode\u003e../\u003c/code\u003e sequences are not sanitized, allowing path traversal.\u003c/li\u003e\n\u003cli\u003eApktool attempts to write a resource file to a location outside the intended output directory.\u003c/li\u003e\n\u003cli\u003eThe resource file is written to an arbitrary location on the filesystem, potentially overwriting critical system files (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf a file like \u003ccode\u003e~/.bashrc\u003c/code\u003e is overwritten, subsequent shell sessions execute malicious code, achieving remote code execution. If a Windows Startup folder is targeted, the code executes on the next reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to write arbitrary files to the filesystem of the machine running Apktool. This can lead to various malicious outcomes, including remote code execution, privilege escalation, and data exfiltration. The impact is particularly severe if Apktool is run with elevated privileges or if sensitive files are overwritten. While specific victim numbers are not available, developers and security researchers who rely on Apktool for APK analysis are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Apktool version 3.0.2 or later to remediate CVE-2026-39973.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive files like \u003ccode\u003e~/.bashrc\u003c/code\u003e and \u003ccode\u003e~/.ssh/config\u003c/code\u003e to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring to detect the execution of \u003ccode\u003eapktool d\u003c/code\u003e with suspicious arguments, particularly targeting unexpected output directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Apktool Path Traversal Attempt\u0026rdquo; to identify potential exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T02:16:07Z","date_published":"2026-04-21T02:16:07Z","id":"/briefs/2026-04-apktool-path-traversal/","summary":"A path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1 allows a malicious APK file to write arbitrary files to the filesystem during decoding, potentially leading to remote code execution.","title":"Apktool Path Traversal Vulnerability (CVE-2026-39973)","url":"https://feed.craftedsignal.io/briefs/2026-04-apktool-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39973","version":"https://jsonfeed.org/version/1.1"}