Main Vulnerability Database Vulnerabilities #VU132128

Improper Neutralization of Argument Delimiters in a Command in atril - CVE-2026-46529

Published: May 22, 2026 / Updated: May 22, 2026

Vulnerability identifier: #VU132128

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2026-46529

CWE-ID: CWE-88

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: MATE Desktop

Affected software:
atril

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of argument delimiters in a command in ev_spawn() in shell/ev-application.c when processing a crafted /GoToR action in a PDF document. A remote attacker can trick the victim into clicking a crafted link in a malicious PDF to execute arbitrary code.

User interaction is required to click a link inside the PDF document, and the issue can be delivered as a single polyglot file that is both a valid PDF and a valid ELF shared library.

How to mitigate CVE-2026-46529

Install security update from vendor's website.

Sources

https://github.com/mate-desktop/atril/security/advisories/GHSA-vgv2-m826-8f6f

Improper Neutralization of Argument Delimiters in a Command in atril - CVE-2026-46529

Detailed vulnerability description

How to mitigate CVE-2026-46529

Sources

Please verify you're human