Skip to main content

Microsoft EUVDEUVD-2026-24043

| CVE-2026-39973 HIGH
Path Traversal (CWE-22)
2026-04-21 GitHub_M GHSA-m8mh-x359-vm8m
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Patch released
Apr 23, 2026 - 15:39 nvd
Patch available
Patch available
Apr 21, 2026 - 03:01 EUVD
Analysis Updated
Apr 21, 2026 - 02:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 02:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 02:11 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24043
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:35 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apktool:apktool-lib (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionGitHub Advisory

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in brut/androlib/res/decoder/ResFileDecoder.java allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (apktool d). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the BrutIO.sanitizePath() call that previously prevented path traversal in resource file output paths. An attacker can embed ../ sequences in the resources.arsc Type String Pool to escape the output directory and write files to arbitrary locations, including ~/.ssh/config, ~/.bashrc, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces BrutIO.sanitizePath() in ResFileDecoder.java before file write operations.

AnalysisAI

Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. CVSS 7.1 with local attack vector and required user interaction. No active exploitation (CISA KEV) or public POC identified at time of analysis, but exploit development is straightforward given the detailed technical disclosure in GitHub advisory GHSA-m8mh-x359-vm8m.

Technical ContextAI

Apktool is a widely-used reverse engineering framework for Android APK files, enabling security researchers and developers to decode application resources and reassemble modified packages. The vulnerability resides in the resource file decoder component (brut/androlib/res/decoder/ResFileDecoder.java), which processes the resources.arsc file - a binary archive containing all compiled resources (strings, layouts, images) indexed by Type String Pools. During normal apktool d decoding operations, the tool extracts resource names from these string pools and writes corresponding files to the output directory. The CWE-22 path traversal flaw allows malicious APK authors to inject ../ sequences into resource file paths stored within the resources.arsc Type String Pool. When processed without sanitization, these sequences cause file writes to escape the intended output directory. Commit e10a045 (PR #4041) inadvertently removed the BrutIO.sanitizePath() validation function that previously normalized paths and stripped traversal attempts, creating a window between December 2025 and the 3.0.2 patch release where all resource extraction operations became vulnerable to directory escape attacks.

RemediationAI

Immediately upgrade to Apktool version 3.0.2 or later, available at https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2, which re-implements path sanitization controls in ResFileDecoder.java to prevent directory traversal during resource extraction. Organizations unable to upgrade immediately should implement the following compensating controls with noted trade-offs: (1) Execute all apktool d operations within containerized environments (Docker, Podman) or virtual machines with isolated filesystems, preventing escape to host system directories but adding operational overhead to analysis workflows. (2) Run Apktool under restricted user accounts with write permissions limited to dedicated output directories outside user home folders, mitigating SSH config and shell profile overwrites but not preventing writes to permitted paths. (3) Deploy mandatory access control systems (SELinux, AppArmor) with policies restricting Apktool file write operations to explicitly whitelisted paths, requiring security expertise to configure correctly and potentially breaking legitimate resource extraction to unexpected locations. (4) Process only APK files from explicitly trusted sources and avoid decoding samples from malware repositories, app stores, or unknown origins without sandboxing, though this limits security research capabilities. For automated analysis pipelines, implement pre-processing validation that inspects resources.arsc Type String Pools for path traversal sequences (../, .\, absolute paths) before invoking Apktool, with the caveat that sophisticated obfuscation may bypass string-based detection. The vendor patch is the only complete mitigation; all workarounds carry operational or security limitations.

Share

EUVD-2026-24043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy