CVE-2026-46529
- Source
- https://cve.org/CVERecord?id=CVE-2026-46529
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46529.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-46529
- Aliases
-
- GHSA-vgv2-m826-8f6f
- Downstream
- Related
- Published
- 2026-06-10T19:46:23.639Z
- Modified
- 2026-06-25T14:14:12.959193529Z
- Severity
-
- 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen
- Details
-
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is
shell/ev-application.c:ev_spawn, which builds a command line from attacker-controlled PDF link-destination fields without applyingg_shell_quote. The cmdline is then handed tog_app_info_create_from_commandline, which shell-parses it back into argv — splitting any embedded--gtk-module=PATHinto a separate argv element. GTK thendlopen()s the path during init, running any__attribute__((constructor))it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT--checkpoint-actioninjection incomics-document.c, fixed in 1.6.2) but in a different code path (shell/ev-application.c) that the original patch did not touch. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46529.json", "cwe_ids": [ "CWE-77", "CWE-829", "CWE-88" ], "cna_assigner": "GitHub_M" }- References
-
- http://www.openwall.com/lists/oss-security/2026/05/19/34
- http://www.openwall.com/lists/oss-security/2026/05/21/7
- http://www.openwall.com/lists/oss-security/2026/05/22/11
- https://github.com/mate-desktop/atril/releases/tag/v1.26.3
- https://github.com/mate-desktop/atril/releases/tag/v1.28.4
- https://lists.debian.org/debian-lts-announce/2026/05/msg00041.html
- https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html
- https://lists.debian.org/debian-lts-announce/2026/06/msg00021.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46529.json
- https://github.com/mate-desktop/atril/security/advisories/GHSA-vgv2-m826-8f6f
- https://nvd.nist.gov/vuln/detail/CVE-2026-46529
Affected packages
Git / github.com/mate-desktop/atril
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mate-desktop/atril
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedIntroducedFixedFixed
- Database specific
{ "source": [ "AFFECTED_FIELD", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "1.26.3" }, { "introduced": "1.27.0" }, { "fixed": "1.28.4" } ] }