Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is shell/ev-application.c:ev_spawn, which builds a command line from attacker-controlled PDF link-destination fields without applying g_shell_quote. The cmdline is then handed to g_app_info_create_from_commandline, which shell-parses it back into argv — splitting any embedded --gtk-module=PATH into a separate argv element. GTK then dlopen()s the path during init, running any __attribute__((constructor)) it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT --checkpoint-action injection in comics-document.c, fixed in 1.6.2) but in a different code path (shell/ev-application.c) that the original patch did not touch.
CVE-2026-46529
This high-severity CVE scores 7.8 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.5%, top 59% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.8
- EG Score
- 7.8(medium)
- EPSS
- 40.9%
- KEV
- Not listed
Published
June 10, 2026
Last Modified
June 30, 2026
Advisory Details (8)
Auto-updated Jun 10, 2026[SECURITY] [DLA 4597-1] atril security update
https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html[SECURITY] [DLA 4596-1] evince security update
https://lists.debian.org/debian-lts-announce/2026/05/msg00041.htmloss-security - Re: Evince/Atril/Xreader command injection CVE-2026-46529
http://www.openwall.com/lists/oss-security/2026/05/22/11oss-security - Re: Evince/Atril/Xreader command injection CVE-2026-46529
http://www.openwall.com/lists/oss-security/2026/05/21/7oss-security - Evince/Atril/Xreader command injection CVE-2026-46529
http://www.openwall.com/lists/oss-security/2026/05/19/34PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen · Advisory · mate-desktop/atril · GitHub
Affected: 1.6.2) but in a
https://github.com/mate-desktop/atril/security/advisories/GHSA-vgv2-m826-8f6fv1.28.4
Patch available: mate-desktop/atril v1.28.4
https://github.com/mate-desktop/atril/releases/tag/v1.28.4v1.26.3
Patch available: mate-desktop/atril v1.26.3
https://github.com/mate-desktop/atril/releases/tag/v1.26.3Vendor Advisories for CVE-2026-46529(3)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(6)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | papers-common (50.1-0ubuntu1.1) @ resolute | 2026-07-05 | ubuntu |
| ubuntu | libevview3-3 (42.3-0ubuntu3.2) @ jammy | 2026-07-05 | ubuntu |
| redhat | evince-0:40.5-2.el9_4.1 | 2026-06-30 | redhat |
| redhat | evince-0:40.5-2.el9_6.1 | 2026-06-29 | redhat |
| redhat | evince-0:3.28.4-17.el8_10 | 2026-06-24 | redhat |
| redhat | evince-0:40.5-4.el9_8.1 | 2026-06-22 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(3)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 32× in last 7d / 130× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 130 total refreshes for this CVE.
- 2026-07-07 03:29 UTCEG score recompute
- 2026-07-07 03:29 UTCVendor advisory
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 22:53 UTCEG score recompute
- 2026-07-05 22:53 UTCVendor advisory
- 2026-07-05 11:19 UTCEG score recompute
- 2026-07-05 11:19 UTCVendor advisory
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 23:40 UTCEG score recompute
- 2026-07-04 23:40 UTCVendor advisory
- 2026-07-04 11:39 UTCEG score recompute
- 2026-07-04 11:39 UTCVendor advisory
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 19:33 UTCEG score recompute
- 2026-07-03 19:33 UTCVendor advisory
- 2026-07-03 07:59 UTCEG score recompute
- 2026-07-03 07:59 UTCVendor advisory
- 2026-07-02 18:52 UTCEG score recompute
- 2026-07-02 18:52 UTCVendor advisory
- 2026-07-02 07:17 UTCEG score recompute
- 2026-07-02 07:17 UTCVendor advisory
- 2026-07-01 19:42 UTCEG score recompute
- 2026-07-01 19:42 UTCVendor advisory
- 2026-07-01 15:07 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-07-01 08:08 UTCEG score recompute
- 2026-07-01 08:08 UTCVendor advisory
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 20:31 UTCEG score recompute
- 2026-06-30 20:31 UTCVendor advisory
- 2026-06-30 08:53 UTCEG score recompute▼ 0.60
- 2026-06-30 08:53 UTCVendor advisory
- 2026-06-30 04:33 UTCNVD updateCVSS v3 → 7.8
- 2026-06-29 21:19 UTCEG score recompute
- 2026-06-29 21:19 UTCVendor advisory
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 09:45 UTCEG score recompute
- 2026-06-29 09:45 UTCVendor advisory
- 2026-06-28 22:09 UTCEG score recompute
- 2026-06-28 22:09 UTCVendor advisory
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 10:34 UTCEG score recompute
- 2026-06-28 10:34 UTCVendor advisory
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 22:59 UTCEG score recompute
- 2026-06-27 22:59 UTCVendor advisory
- 2026-06-27 11:25 UTCEG score recompute
- 2026-06-27 11:25 UTCVendor advisory
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 23:48 UTCEG score recompute
- 2026-06-26 23:48 UTCVendor advisory
- 2026-06-26 12:14 UTCEG score recompute
- 2026-06-26 12:14 UTCVendor advisory
- 2026-06-25 19:58 UTCEG score recompute
- 2026-06-25 19:58 UTCVendor advisory
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 08:23 UTCEG score recompute
- 2026-06-25 08:23 UTCVendor advisory
- 2026-06-24 20:49 UTCEG score recompute
- 2026-06-24 20:49 UTCVendor advisory
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 08:02 UTCEG score recompute
- 2026-06-24 08:02 UTCVendor advisory
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 20:28 UTCEG score recompute
- 2026-06-23 20:28 UTCVendor advisory
- 2026-06-23 08:29 UTCEG score recompute
- 2026-06-22 18:19 UTCEG score recompute
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 04:05 UTCEG score recompute
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:15 UTCEG score recompute
- 2026-06-21 14:15 UTCVendor advisory
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:31 UTCEG score recompute
- 2026-06-21 01:31 UTCVendor advisory
- 2026-06-20 13:11 UTCEG score recompute
- 2026-06-20 01:37 UTCEG score recompute
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 13:57 UTCEG score recompute
- 2026-06-19 02:22 UTCEG score recompute
- 2026-06-19 02:22 UTCVendor advisory
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 14:47 UTCEG score recompute
- 2026-06-18 14:47 UTCVendor advisory
- 2026-06-18 02:58 UTCEG score recompute
- 2026-06-18 02:58 UTCVendor advisory
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 15:23 UTCEG score recompute
- 2026-06-17 15:23 UTCVendor advisory
- 2026-06-17 03:50 UTCEG score recompute
- 2026-06-17 03:50 UTCVendor advisory
Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCN1et/CVE-2026-46529First seen May 16, 2026
Evince/xreader/Atril RCE exploit to CVE-2026-46529
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-77 · CWE-829
- CVE-2016-15057EG 9.9CRITICAL
- CVE-2014-5470EG 9.8EPSS 95%CRITICAL
- CVE-2013-2513EG 9.8CRITICAL
- CVE-2015-20108EG 9.8CRITICAL
- CVE-2015-10096NVD 5.0EG 9.8MEDIUM
- CVE-2016-20017EG 9.8 KEVEPSS 99%CRITICAL
- CVE-2016-4991EG 9.8CRITICAL
- CVE-2015-20107NVD 7.6EG 9.8EPSS 93%HIGH
- CVE-2012-4919EG 9.8CRITICAL
- CVE-2014-4982EG 9.8EPSS 90%CRITICAL
Frequently asked(5)
What is CVE-2026-46529?
When was CVE-2026-46529 disclosed?
Is CVE-2026-46529 actively exploited?
What is the CVSS score of CVE-2026-46529?
How do I remediate CVE-2026-46529?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-46529
Is Your Infrastructure Affected by CVE-2026-46529?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.