Researcher Reproduces Patched Apktool Path Traversal Bug to Verify Fix Held
A developer stress-testing apktool, a widely used Android APK decompiling tool, decided to personally reproduce a known patched vulnerability rather than simply trust the published advisory. The flaw, CVE-2026-39973, involved a path traversal bug in which a maliciously crafted resources.arsc file could cause apktool to write decoded files outside the intended output directory. To verify the fix, the researcher built two versions of apktool from source — one at the last vulnerable release (v3.0.1) and one at the patched HEAD — then hand-crafted a malicious APK by directly editing binary data in the resource table. Testing confirmed that the vulnerable build silently wrote 18 files outside the sandbox, while the patched build correctly intercepted and redirected them, validating that the fix was genuine and not at risk of silent regression.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in