Is Google affected by CVE-2026-39973?

Apktool versions 3.0.0 through 3.0.1 contain a path traversal vulnerability that allows attackers to write arbitrary files to system directories when processing malicious APK files, potentially enabling code execution if startup scripts or shell configuration files are overwritten.

Google CVE-2026-39973

EUVD-2026-24043 HIGH

Path Traversal (CWE-22)

2026-04-21 GitHub_M

GHSA-m8mh-x359-vm8m

Path Traversal Google Microsoft

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Apr 21, 2026 - 03:01 EUVD

Analysis Updated

Apr 21, 2026 - 02:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 02:22 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 02:11 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 maven packages depend on org.apktool:apktool-lib (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionNVD

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in brut/androlib/res/decoder/ResFileDecoder.java allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (apktool d). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the BrutIO.sanitizePath() call that previously prevented path traversal in resource file output paths. An attacker can embed ../ sequences in the resources.arsc Type String Pool to escape the output directory and write files to arbitrary locations, including ~/.ssh/config, ~/.bashrc, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces BrutIO.sanitizePath() in ResFileDecoder.java before file write operations.

AnalysisAI

Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. …

RemediationAI

Within 24 hours: Identify all systems running Apktool 3.0.0 or 3.0.1 and restrict processing of untrusted APK files. Within 7 days: Implement application whitelisting or sandboxing for Apktool execution; monitor for suspicious file write attempts to system directories (~/.ssh, Startup folders, shell configuration files). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39973 vulnerability details – vuln.today

Back