CVE-2026-39973

HIGH

Apktool: Path Traversal to Arbitrary File Write

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-39973. PoCs published by adminlove520, frawlaboy.

AI-analyzed exploit summary This repository contains a functional C# PoC for CVE-2026-39973, a path traversal vulnerability in Apktool 3.0.1. The exploit crafts a malicious `resources.arsc` file to inject arbitrary files into sensitive paths (e.g., `~/.bashrc` or Windows startup folder) by leveraging a security regression in `ResFileDecoder.java`.

Description

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations.

Exploits (2)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-39973

This repository contains a functional C# PoC for CVE-2026-39973, a path traversal vulnerability in Apktool 3.0.1. The exploit crafts a malicious `resources.arsc` file to inject arbitrary files into sensitive paths (e.g., `~/.bashrc` or Windows startup folder) by leveraging a security regression in `ResFileDecoder.java`.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: iBotPeaches/Apktool 3.0.1
No auth needed
Prerequisites: ability to craft/modify APK files · victim interaction to process the malicious APK with Apktool
devstral-2 · analyzed May 19, 2026 Full analysis →
github WORKING POC 1 stars
by frawlaboy · c#poc
https://github.com/frawlaboy/CVE-2026-39973-PoC

This repository contains a functional C# PoC for CVE-2026-39973, a path traversal vulnerability in Apktool 3.0.1. The exploit crafts a malicious `resources.arsc` file to inject path traversal sequences into the type name, allowing arbitrary file writes.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: iBotPeaches/Apktool 3.0.1
No auth needed
Prerequisites: ability to craft a malicious APK file · victim interaction to process the APK with Apktool
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.1
EPSS 0.0001
EPSS Percentile 0.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
apktool/apktool 3.0.0 - 3.0.2
iBotPeaches/Apktool >= 3.0.0, < 3.0.2
org.apktool/apktool-lib 3.0.0 - 3.0.2Maven
Published Apr 21, 2026
Tracked Since Apr 21, 2026