Platform
android
Component
aleapp
Fixed in
3.4.1
CVE-2026-40027 describes a path traversal vulnerability discovered in the ALEAPP NQ Vault Artifact Parser, a tool used for parsing Android logs and protobuf data. This flaw allows attackers to write arbitrary files on the system, potentially leading to code execution. The vulnerability affects versions 0.0.0 through 3.4.0 of the parser. A fix is expected to be released by the vendor.
The core of this vulnerability lies in the parser's handling of the filenamefrom value, which is derived from a database. The parser directly uses this value to construct the output filename without proper sanitization. An attacker can craft a malicious filenamefrom payload containing path traversal sequences (e.g., ../../../outside_written.bin) to escape the intended output directory. This allows them to write files to arbitrary locations on the system. Successful exploitation could involve overwriting critical executable files or configuration files, leading to remote code execution. The impact is particularly severe because it allows for arbitrary file writes, bypassing typical directory access controls.
CVE-2026-40027 was publicly disclosed on 2026-04-08. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively straightforward nature of path traversal vulnerabilities, it's reasonable to assume that a proof-of-concept could be developed relatively quickly.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40027 is to upgrade to a patched version of the ALEAPP NQ Vault Artifact Parser. Until a patch is available, consider implementing input validation on the filenamefrom value before it's used to construct the output filename. This could involve whitelisting allowed characters or using a canonicalization function to resolve relative paths. As a temporary workaround, restrict write access to the report output directory to only the parser process. Monitor system logs for unusual file creation activity within the report output directory, looking for files with unexpected names or locations.
Actualice ALEAPP a una versión posterior a 3.4.0 para mitigar la vulnerabilidad de recorrido de ruta. La actualización corrige la forma en que se manejan los nombres de archivo, evitando que los atacantes escriban archivos arbitrariamente en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40027 is a path traversal vulnerability in the ALEAPP NQ Vault Artifact Parser allowing attackers to write arbitrary files, potentially leading to code execution.
You are affected if you are using ALEAPP NQ Vault Artifact Parser versions 0.0.0 through 3.4.0.
Upgrade to a patched version of the ALEAPP NQ Vault Artifact Parser. Until a patch is available, implement input validation on the filenamefrom value.
There are currently no confirmed reports of active exploitation, but a proof-of-concept is likely to be developed.
Please refer to the ALEAPP website or security mailing lists for the official advisory regarding CVE-2026-40027.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your build.gradle file and we'll tell you instantly if you're affected.