CVE-2026-46529

Summary

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is shell/ev-application.c:ev_spawn, which builds a command line from attacker-controlled PDF link-destination fields without applying g_shell_quote. The cmdline is then handed to g_app_info_create_from_commandline, which shell-parses it back into argv — splitting any embedded --gtk-module=PATH into a separate argv element. GTK then dlopen()s the path during init, running any __attribute__((constructor)) it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT --checkpoint-action injection in comics-document.c, fixed in 1.6.2) but in a different code path (shell/ev-application.c) that the original patch did not touch.

Affected Software

VendorProductVersion RangeStatus
mate-desktopatril< 1.26.3affected
mate-desktopatril>= 1.27.0, < 1.28.4affected

Weaknesses

  • CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
  • CWE-829: CWE-829: Inclusion of Functionality from Untrusted Control Sphere

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via –gtk-module dlopen

Additional References

References