How is CVE-2026-46529 exploited?

Network reachability (not-required): The attacker does not need direct network access to the host; the payload is delivered as a crafted PDF file, and the vulnerable code path runs locally on the victim's machine when the file is opened. Authentication (not-required): No account credentials or session token are required; any user who opens the malicious PDF is a viable target. Victim interaction (required): The victim must open a crafted PDF in Atril and click a malicious link inside it, making this a one-click social-engineering attack. Attack complexity (info): Exploitation is reliable and condition-free once the victim clicks the link; no race conditions, memory layout knowledge, or special system configuration are needed, and a single polyglot PDF/ELF file is sufficient.

What is the impact of CVE-2026-46529?

Executes arbitrary shared-library constructor code as the logged-in user, giving the attacker a full shell or persistent process under that identity. Reads any file accessible to the victim user, including SSH keys, browser session stores, and application credentials stored in the home directory. Writes or modifies files owned by the victim user, enabling persistence mechanisms such as backdoored shell rc files or cron entries. Terminates or corrupts the user session and any applications running under the same UID, disrupting the desktop environment.

Back to search

HIGHCVE-2026-46529Published 2026-06-10Modified 2026-06-12CNA GitHub_M

CVE-2026-46529: PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen

Q: Is CVE-2026-46529 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears upstream. In the meantime, customers with auto-remediation enabled will receive a notification and a flagged workload report so compensating controls can be applied without delay.

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an argument injection vulnerability (argv injection via shell re-parsing) in Atril Document Viewer, the default PDF reader in the MATE desktop environment for Linux. The attack is local in execution context but is triggered remotely by social engineering: a victim opens a crafted PDF and clicks a link inside it, causing Atril to pass an attacker-controlled --gtk-module path to GTK, which dlopen()s a shared library and runs arbitrary constructor code. Successful exploitation gives the attacker full code execution as the logged-in user with no privilege escalation needed. No fix versions have been published upstream yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built base images derived from MATE or atril packages. Any image carrying atril < 1.26.3 or a 1.27.x/1.28.x build below 1.28.4 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 4.0 score of 8.4 (HIGH) and applies per-environment compliance policy weighting to determine urgency tier, then routes the finding to the appropriate team inbox or ticket queue within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears upstream. In the meantime, customers with auto-remediation enabled will receive a notification and a flagged workload report so compensating controls can be applied without delay.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need direct network access to the host; the payload is delivered as a crafted PDF file, and the vulnerable code path runs locally on the victim's machine when the file is opened.
AuthenticationNot required
No account credentials or session token are required; any user who opens the malicious PDF is a viable target.
Victim interactionRequired
The victim must open a crafted PDF in Atril and click a malicious link inside it, making this a one-click social-engineering attack.
Attack complexityDetail
Exploitation is reliable and condition-free once the victim clicks the link; no race conditions, memory layout knowledge, or special system configuration are needed, and a single polyglot PDF/ELF file is sufficient.

Blast Radius

Executes arbitrary shared-library constructor code as the logged-in user, giving the attacker a full shell or persistent process under that identity.
Reads any file accessible to the victim user, including SSH keys, browser session stores, and application credentials stored in the home directory.
Writes or modifies files owned by the victim user, enabling persistence mechanisms such as backdoored shell rc files or cron entries.
Terminates or corrupts the user session and any applications running under the same UID, disrupting the desktop environment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment atril 1.26.3 or 1.28.4 packages are published upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with median time from upstream publication to merged patch PR around 90 minutes for HIGH-severity issues in environments with auto-remediation active. While no fix is available, recommended compensating controls include isolating desktop container images that bundle atril behind a network policy that blocks outbound connections (limiting exfiltration after a successful dlopen), using a content-filtering layer to block delivery of polyglot PDF/ELF files at the registry or CI ingestion boundary, and pinning affected images to a read-only filesystem where possible to prevent constructor-code persistence. Teams that can accept a feature-level trade-off should consider substituting a different PDF viewer in their base image until the patch lands.

See how HarborGuard automates this

Affected packages

mate-desktop / atril
< 1.26.3 · >= 1.27.0, < 1.28.4

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified