CVE-2026-46529: Atril Remote Code Execution via Malicious PDF Links
Atril, the default document viewer for MATE desktop environments on Linux, contains a critical vulnerability that allows attackers to execute arbitrary code with a single click. When a user opens a malicious PDF file and clicks on a specially crafted link, the application can be tricked into running attacker-supplied commands. The attack is particularly dangerous because the malicious PDF can be disguised as a legitimate shared library file, making it appear harmless. Affected versions are those prior to 1.26.3 and 1.28.4. The vulnerability stems from improper handling of PDF link destinations without adequate shell-escaping, allowing an attacker to inject executable code through command-line parameters.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-77, CWE-829, CWE-88
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-15
NVD description (verbatim)
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
18 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in `shell/ev-application.c:ev_spawn`, which constructs a shell command from untrusted PDF link-destination fields without applying `g_shell_quote()` for proper escaping. The malformed command line is passed to `g_app_info_create_from_commandline()`, which re-parses it through a shell interpreter, splitting injected arguments like `--gtk-module=PATH` into separate argv elements. During GTK initialization, the specified module path is dynamically loaded via `dlopen()`, executing any constructor functions marked with `__attribute__((constructor))`. By crafting a polyglot file that is simultaneously valid as both a PDF and an ELF shared library, an attacker achieves single-file, single-click remote code execution without requiring special configuration. This mirrors the command-injection defect class previously fixed in CVE-2023-51698 (affecting comics-document.c), but the original patch did not address the same vulnerability in the ev_spawn code path. The root cause is a failure to properly quote shell metacharacters and validate module paths before passing them to GTK's initialization routines.
Business impact
This vulnerability poses a severe risk to MATE desktop users, particularly those who receive PDF documents from untrusted sources or download them from compromised websites. Since Atril is the default PDF viewer for MATE, many users will not have explicitly chosen it, meaning exposure is tied to typical document-handling workflows. A successful attack grants the attacker the full privileges of the user running Atril, potentially leading to data theft, malware installation, lateral movement within a corporate network, or system compromise. Organizations with MATE deployments—common in cost-conscious environments, educational institutions, and some Linux distributions—should treat this as a high-priority security incident. The single-click, configuration-independent nature of the attack significantly lowers the barrier to exploitation and increases the likelihood of successful social engineering campaigns.
Affected systems
Atril versions prior to 1.26.3 and 1.28.4 are vulnerable. The MATE desktop environment, which includes Atril as its default PDF viewer, is the primary distribution vector. Any Linux system running an affected version of Atril—whether standalone or as part of MATE—is susceptible. This includes desktop systems, workstations, and potentially thin-client environments where MATE is deployed. The vulnerability is configuration-independent, meaning default installations are fully exposed without any special setup required for exploitation.
Exploitability
Exploitability is very high. The attack requires only that a user click a link within a PDF document—an expected, normal interaction with PDF content. No special user permissions, elevated privileges, or system misconfiguration are necessary. The polyglot file technique allows the malicious payload to masquerade as a legitimate shared library, potentially bypassing casual inspection. Because the vulnerability is in the default document viewer of a popular desktop environment, and because the attack surface includes any PDF that an attacker can deliver to a user (via email, web download, file sharing, etc.), the practical exploitability is extremely high in real-world scenarios. The attack does not require the user to disable security warnings or make unusual choices.
Remediation
Organizations should immediately upgrade Atril to version 1.26.3 or 1.28.4 or later. For systems integrated with MATE, check the distribution's package repositories or the MATE project's official releases for patched versions. Until patching is complete, users should exercise caution when opening PDF documents from untrusted sources and avoid clicking links within PDFs from senders they do not recognize. However, this is a fragile mitigation and should not be relied upon as a substitute for patching. Consider advising users to use alternative PDF viewers if they cannot be immediately updated.
Patch guidance
Verify the availability of Atril 1.26.3 or 1.28.4 (or later versions) in your distribution's package manager or through official MATE project repositories. Deploy the patched version through your standard patch management process. Test the patched version in a non-production environment before full rollout to ensure compatibility with your document workflows. For organizations using MATE as part of a larger desktop environment, coordinate patching with any centralized software deployment tools. If your distribution has not yet released the patched version, check for backported security patches or contact your distribution vendor for guidance.
Detection guidance
Monitor system logs for suspicious child process spawning from Atril, particularly those involving library loading or unusual command-line arguments. Watch for network connections initiated by Atril or processes spawned as children of Atril, as these may indicate successful exploitation. Inspect recent PDF files on user systems for polyglot characteristics (files that are valid both as PDFs and as ELF binaries). If available, use EDR or behavioral monitoring tools to flag unexpected `dlopen()` calls or dynamic library loading from user-controlled locations triggered by Atril. Review access logs for any downloads of suspicious PDF files, particularly those with ambiguous or library-like names. Because the attack is local and single-click, network-based detection may be limited, making endpoint visibility critical.
Why prioritize this
This vulnerability merits immediate priority due to its high CVSS score (7.8), minimal attack complexity, reliance on a simple user interaction (link clicking in a PDF), and the fact that Atril is the default viewer for a mainstream desktop environment. The single-file, single-click nature of the attack makes it trivial to weaponize and distribute at scale. The reappearance of a similar command-injection defect in a different code path suggests that the original CVE-2023-51698 patch was insufficiently comprehensive, raising concerns about potential additional instances. For any organization with MATE deployments or users running Atril, this must be treated as a critical patch priority.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects high impact (C:H, I:H, A:H), low attack complexity (AC:L), and no privilege requirement (PR:N), but is tempered by local attack vector (AV:L) and required user interaction (UI:R). The score appropriately captures the severity: while the attack requires the user to be tricked into clicking, the consequences are complete system compromise under the user's privilege level. The high impact rating is justified because successful exploitation results in arbitrary code execution with full user permissions, including read/write/execute access to all user-accessible data and the ability to modify or delete files. The local attack vector reflects that the initial delivery method (a PDF file) must reach the target system, though this is easily achieved through email, downloads, or file sharing. Real-world risk may be higher than the base score because of the ease of social engineering, the ubiquity of PDF document handling, and the hidden nature of the polyglot payload technique.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attack requires a user to click a link within the PDF document. However, this is a normal, expected action when interacting with PDFs, making it easy to trick users through social engineering. There is no way to trigger the vulnerability simply by opening the PDF file or viewing its contents.
Why is this related to CVE-2023-51698, and does that mean the original patch was incomplete?
Both vulnerabilities are instances of the same defect class: improper shell command escaping before passing untrusted input to command execution functions. CVE-2023-51698 fixed the vulnerability in the comics-document.c code path but did not address the same underlying issue in shell/ev-application.c (the ev_spawn function). This suggests the original patch was narrowly scoped and did not include a comprehensive code review or remediation of the entire codebase for similar patterns. Organizations that patched CVE-2023-51698 should not assume they are protected against this vulnerability.
Can I safely use Atril if I only open PDFs from trusted sources?
While limiting exposure to PDFs from untrusted sources is prudent, it is not a reliable defense against this vulnerability. PDFs can be distributed through compromised websites, intercepted email, or social engineering tactics that make the source appear legitimate. Additionally, users may not always know whether a source is truly trustworthy. Patching is the only reliable mitigation; user behavior alone is insufficient.
Does this vulnerability affect PDF readers on Windows or macOS?
No. Atril is specific to Linux systems, particularly those using the MATE desktop environment. Users of other PDF readers or operating systems are not affected by this particular vulnerability, though they should remain vigilant for similar issues in their own document viewers.
This analysis is based on information available as of the publication date and reflects the technical details provided in the CVE record. Patch availability, affected version numbers, and compatibility with specific distributions may vary. Organizations should verify patch status against official vendor advisories and test updates in non-production environments before deployment. The vulnerability is theoretical until weaponized or actively exploited; however, the low complexity of exploitation warrants immediate prioritization. This intelligence is provided for informational purposes to support security decision-making and should be used in conjunction with your organization's risk assessment, patch management policies, and security controls. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for your specific environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows
- CVE-2026-48116HIGHAnythingLLM Command Injection via Ripgrep Abuse
- CVE-2022-49036HIGHSynology Active Backup for Business Recovery Media Creator Arbitrary Code Execution
- CVE-2022-49042HIGHSynology Hyper Backup Explorer Arbitrary Code Execution via MinGW DLL
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler
- CVE-2026-10870HIGHShibby Tomato 1.28.0000 OS Command Injection Vulnerability