{"id":"CVE-2026-46529","summary":"PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen","details":"Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.","aliases":["GHSA-vgv2-m826-8f6f"],"modified":"2026-06-25T14:14:12.959193529Z","published":"2026-06-10T19:46:23.639Z","related":["ALSA-2026:28998","SUSE-SU-2026:22182-1","SUSE-SU-2026:2232-1","SUSE-SU-2026:2235-1","SUSE-SU-2026:2288-1","openSUSE-SU-2026:10853-1","openSUSE-SU-2026:20850-1"],"database_specific":{"cwe_ids":["CWE-77","CWE-829","CWE-88"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46529.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/19/34"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/21/7"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/22/11"},{"type":"WEB","url":"https://github.com/mate-desktop/atril/releases/tag/v1.26.3"},{"type":"WEB","url":"https://github.com/mate-desktop/atril/releases/tag/v1.28.4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00041.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/06/msg00021.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46529.json"},{"type":"ADVISORY","url":"https://github.com/mate-desktop/atril/security/advisories/GHSA-vgv2-m826-8f6f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46529"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mate-desktop/atril","events":[{"introduced":"0"},{"introduced":"6ba899248d5f12c9bafaeba9ba371dd7007a9049"},{"fixed":"41aad6fa02755dd89013353dbd42c4d69b7cfd76"},{"fixed":"76d0cc7230f4ada3488020c63995bb474b8fe4c6"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.26.3"},{"introduced":"1.27.0"},{"fixed":"1.28.4"}]}}],"versions":["v1.28.3","v1.28.2","v1.28.1","v1.28.0","v1.27.1","v1.26.2","v1.26.1","v1.27.0","v1.26.0","v1.25.1","v1.25.0","v1.24.0","v1.23.2","v1.23.1","v1.23.0","v1.22.0","v1.21.1","v1.21.0","v1.20.0","v1.19.6","v1.19.5","v1.19.4","v1.19.3","v1.19.2","v1.19.1","v1.19.0","v1.18.0","v1.17.1","v1.16.1","v1.17.0","v1.16.0","v1.15.3","v1.15.2","v1.15.1","v1.15.0","v1.14.1","v1.14.0","v1.13.1","v1.13.0","v1.12.0","atril-1.12.0","atril-1.11.0","atril-1.10.1","atril-1.10.0","atril-1.9.90","atril-1.9.2","atril-1.9.1","atril-1.9.0","atril-1.8.0","atril-1.7.90","atril-1.7.2","atril-1.7.1","atril-1.7.0","mate-document-viewer-1.6.1","mate-document-viewer-1.6.0","mate-document-viewer-1.5.0","mate-document-viewer-1.4.0","atril-1.2.1","atril-1.2.0","mate-document-viewer-1.1.1","mate-document-viewer-1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46529.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}