CVE-2026-46529
Deferred Deferred - Pending Action
Remote Code Execution in Atril Document Viewer

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv β€” splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46529
EUVD
EUVD-2026-36109
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
mate atril to 1.26.3 (exc)
mate atril to 1.28.4 (exc)
gnome evince to 48.4 (exc)
linux_mint xreader to 4.6.4 (exc)
atril document_viewer to 1.26.3|end_excluding=1.28.4 (exc)
atril document_viewer 1.26.3
atril document_viewer 1.28.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46529 is a critical remote code execution vulnerability in Atril Document Viewer, the default PDF reader for the MATE desktop environment on Linux. The flaw arises from improper handling of PDF link-destination fields in the ev_spawn function, where attacker-controlled inputs are concatenated into a command line without proper shell quoting.

An attacker crafts a malicious PDF file that is also a valid ELF shared library (a polyglot file). This file contains a specially crafted link with a --gtk-module payload that tricks the GTK library into loading and executing malicious code when the user clicks on the link inside the PDF.

The attack requires only a single click on the malicious PDF and is configuration-independent on stock Atril installations. When triggered, the malicious shared library's constructor runs arbitrary code, such as opening a reverse shell under the victim's user context.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on your system with your user privileges simply by tricking you into clicking a link inside a malicious PDF document.

The attacker can gain control over your user session, potentially leading to unauthorized access to your files, installation of malware, or further exploitation of your system.

Because the exploit is delivered via a single file and requires only a single click, it is easy to deploy and difficult to detect before execution.

Detection Guidance

This vulnerability can be detected by identifying Atril document viewer versions prior to 1.26.3 and 1.28.4 installed on your system, as these versions are vulnerable to the described remote code execution issue.

Since the vulnerability is triggered by opening a malicious PDF containing a specially crafted link, detection on the network level could involve monitoring for suspicious PDF files that are polyglot ELF/PDF files or contain unusual /GoToR actions with payloads like "--gtk-module".

On the system, you can check the installed version of Atril using commands such as:

  • apt list --installed | grep atril (on Debian/Ubuntu-based systems)
  • rpm -q atril (on RPM-based systems like Fedora)

To detect suspicious files, you might search for PDF files that are also ELF binaries by checking file headers, for example:

  • file suspicious.pdf

If the output shows both PDF and ELF characteristics, the file could be malicious.

Mitigation Strategies

The immediate mitigation step is to update the Atril document viewer to a fixed version that addresses this vulnerability.

  • Upgrade Atril to version 1.26.3 or later, preferably 1.28.4 or newer, where the vulnerability has been patched.

Additionally, avoid opening PDF files from untrusted or unknown sources, especially those that might contain embedded links or unusual actions.

If updating is not immediately possible, consider restricting the use of Atril or replacing it with alternative PDF viewers that are not affected.

Monitor for any suspicious activity or unexpected network connections that could indicate exploitation attempts.

Compliance Impact

The provided information does not explicitly discuss the impact of CVE-2026-46529 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart