PT-2026-42169 · Atril+5 · Atril+5

CVE-2026-46529

·

Published

2026-05-19

·

Updated

2026-06-30

CVSS v4.0

8.4

High

VectorAV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Atril versions prior to 1.26.3 Atril versions prior to 1.28.4 Evince versions prior to 48.4 Xreader versions prior to 4.6.4 Xreader versions prior to 3.6.7 Papers (affected versions not specified)
Description A command injection issue exists in the ev spawn() function within shell/ev-application.c. The software fails to apply g shell quote when building a command line from PDF link-destination fields, specifically within /GoToR actions. This allows an attacker to inject arguments, such as --gtk-module=PATH, by using spaces in the destination values. If a user is tricked into clicking a link in a malicious PDF, the application may load a polyglot file—a file that is simultaneously a valid PDF and a valid ELF shared library—via dlopen(). This results in arbitrary code execution as the user when the ELF constructor runs during initialization. The issue can be triggered through format strings like --page-label=%s, --named-dest=%s, and --find=%s.
Recommendations Update Atril to version 1.26.3 or 1.28.4. Update Evince to version 48.4 or later. Update Xreader to version 4.6.4 or 3.6.7. At the moment, there is no information about a newer version that contains a fix for this vulnerability for Papers.

Exploit

Fix

DoS

RCE

Argument Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:27819
ALSA-2026:28998
CVE-2026-46529
GHSA-VGV2-M826-8F6F
OPENSUSE-SU-2026:10853-1
OPENSUSE-SU-2026:11163-1
OPENSUSE-SU-2026:20850-1
OPENSUSE-SU-2026:21106-1
RHSA-2026:27819
RHSA-2026:28998
RHSA-2026:33169
RHSA-2026:33416
SUSE-SU-2026:22182-1
SUSE-SU-2026:2232-1
SUSE-SU-2026:2235-1
SUSE-SU-2026:2288-1
USN-8295-1
USN-8321-1

Affected Products

Atril
Evince
Linuxmint
Rocky Linux
Ubuntu
Xreader