CVE-2026-46529

EUVD-2026-36109
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
8.4 HIGH
LOCAL
LOW
NONE
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
mate-desktopatril
𝑥
< 1.26.3
CNA
Debian logo
Debian Releases
Debian Product
Codename
atril
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1.24.0-1+deb11u2
fixed
forky
1.28.4-1
fixed
sid
1.28.4-1
fixed
trixie
vulnerable
evince
bookworm
vulnerable
bookworm (security)
43.1-2+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
3.38.2-1+deb11u1
fixed
forky
49~alpha.1-1
fixed
sid
49~alpha.1-1
fixed
trixie
vulnerable
trixie (security)
48.1-3+deb13u1
fixed
evince-gtk3
forky
48.4+dfsg-1
fixed
sid
48.4+dfsg-1
fixed
papers
forky
vulnerable
sid
49.3-3
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
evince
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-browser-plugin
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
evince-devel
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-lang
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-djvudocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-dvidocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-pdfdocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-psdocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-tiffdocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
evince-plugin-xpsdocument
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
libevdocument3-4
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
libevview3-3
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
nautilus-evince
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 12 SP3
3.20.2-6.30.1
fixed
suse enterprise server 12 SP5
3.20.2-6.30.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
typelib-1_0-EvinceDocument-3_0
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
typelib-1_0-EvinceView-3_0
suse enterprise desktop 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise sap 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise sap 15 SP7
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP4
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP5
41.4-150400.3.6.1
fixed
suse enterprise server 15 SP6
45.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
45.0-150600.3.3.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
papers
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-debuginfo
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-debugsource
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-devel
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-libs
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-libs-debuginfo
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-nautilus
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-nautilus-debuginfo
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-previewer
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-previewer-debuginfo
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-thumbnailer
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
papers-thumbnailer-debuginfo
Amazon Linux 2023
0:47.0-12.amzn2023
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/mate-desktop/atril/releases/tag/v1.26.3
https://github.com/mate-desktop/atril/releases/tag/v1.28.4
https://github.com/mate-desktop/atril/security/advisories/GHSA-vgv2-m826-8f6f
http://www.openwall.com/lists/oss-security/2026/05/19/34
http://www.openwall.com/lists/oss-security/2026/05/21/7
http://www.openwall.com/lists/oss-security/2026/05/22/11
https://lists.debian.org/debian-lts-announce/2026/05/msg00041.html
https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html