CVE intelligence and bounded remediation
CVE-2026-46529 — Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`…
- Severity
- High
- CVSS
- 8.4 (4.0)
- Published
- 2026-06-10
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-77, CWE-88, CWE-829
Affected products
No browser-safe affected-product rows are available.
Matched remediation archetype
Command, code, expression, and template injection
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace untrusted values to process execution, interpreters, evaluators, template engines, dynamic imports, and administrative scripting features.
- Determine whether the affected path is reachable across each trust boundary and which service account or host privilege it inherits.
- Review configuration for optional execution features, unsafe compatibility modes, and shell invocation.
Remediate safely
- Replace string-built commands or evaluated code with fixed operations and structured argument APIs that do not invoke a shell.
- Use strict allowlists for operation identifiers and reject unexpected input before it reaches any interpreter.
- Update the affected component and add inert regression tests covering metacharacters, encoding variants, and alternate request paths.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.