Description
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Published: 2026-06-10
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Atril Document Viewer, the default viewer in the MATE desktop environment, contains a command‑line injection flaw that allows an attacker to execute arbitrary code as the current user. A malicious PDF can embed a link with a destination payload that is parsed into an unescaped shell command. The command is passed to GTK, which splits an embedded "--gtk-module=PATH" argument and dlopens the specified path during initialization, executing any constructor it finds. This single‑click, single‑file attack achieves full code execution without additional configuration, as the vulnerable binary unconditionally processes link destinations. The weakness is classic command injection and improper input validation (CWE‑77, CWE‑829).

Affected Systems

All installations of MATE Desktop’s Atril running versions prior to 1.26.3 and 1.28.4 are affected. The issue manifests on stock, unmodified installations that open PDFs through Atril. Users of older releases should verify their version number and compare against the public releases, which include the patch.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, and while the EPSS score is currently unavailable, the flaw is actively exploitable in user‑visible PDF links, requiring only a user to click a malicious link. The lack of configuration requirements and the use of the doubly‑packaged polyglot file mean that any user with access to a PDF view in a vulnerable system is at risk. The vulnerability is not listed in the CISA KEV catalog yet, but its exploitation potential warrants immediate attention.

Generated by OpenCVE AI on June 10, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Atril to version 1.26.3 or later 1.28.4 to apply the patch that validates command‑line arguments.
  • Deploy the updated package to all affected systems through your package management or update channels, ensuring every instance of Atril uses the fixed binary.
  • Remove or quarantine any previously downloaded malicious PDFs from user directories and consider disabling automatic handling of PDF links that invoke command execution until systems are fully patched.

Generated by OpenCVE AI on June 10, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4596-1 evince security update
Debian DLA Debian DLA DLA-4597-1 atril security update
Debian DSA Debian DSA DSA-6286-1 evince security update
Ubuntu USN Ubuntu USN USN-8295-1 Evince vulnerability
Ubuntu USN Ubuntu USN USN-8321-1 Papers vulnerability
History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Title PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen
Weaknesses CWE-77
CWE-829
CWE-88
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:51:50.836Z

Reserved: 2026-05-14T19:12:32.756Z

Link: CVE-2026-46529

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T20:17:28.570

Modified: 2026-06-10T20:58:26.290

Link: CVE-2026-46529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:30:36Z

Weaknesses