CVE-2026-46529

Name of the Vulnerable Software and Affected Versions Evince versions prior to 48.2 Atril versions prior to 1.26.3 Atril versions prior to 1.28.4 Xreader versions prior to 3.6.7 Xreader versions prior to 4.6.4

Description Command injection is possible when processing PDF /GoToR actions due to missing quoting of shell-like input in the ev spawn() function within shell/ev-application.c. Specifically, three format strings (--page-label=%s, --named-dest=%s, and --find=%s) pass destination values without using g shell quote. An attacker can use spaces in the value to inject new arguments, such as --gtk-module, pointing to a polyglot file—a file that is simultaneously a valid PDF and a valid ELF (Executable and Linkable Format) binary. This allows the attacker to execute arbitrary code via dlopen when GTK3 loads the module. The security check strcmp(application->uri, uri) can be bypassed by appending ?1 to the filename, as g app info launch uris still resolves the path correctly while the string comparison fails.

Recommendations Update Evince to version 48.2 or later. Update Atril to version 1.26.3 or 1.28.4 or later. Update Xreader to version 3.6.7 or 4.6.4 or later.