Hi, CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing quoting of shell-like input in ev_spawn() in ev-application.c. It is fixed by: • Evince 48.2 • Atril 1.28.4 and 1.26.3 • Xreader 4.6.4 and 3.6.7 The fixes for the issue are public in all three projects' git repos [1] [2] [3]. Distros, please start preparing updates immediately.
This bug also affects Papers [4], but it's probably not urgent to update Papers. I'm doing a little experiment here: although the vulnerability itself is now public because those commits are public and because this is a public mailing list, I have nevertheless decided to keep the original issue reports and CVE details private until Thursday, May 21, because they contain a working exploit developed by a LLM. Perhaps that's arguably stretching the rules of this mailing list slightly, but hopefully this is OK since the flaw and the fix are both public. I know this is not a standard embargo strategy. And the date is also very soon, leaving you not much time to react. I don't know if this was actually a good idea or not. Complaints welcome! My goal was to make it easy to prepare immediate distro updates without waiting for an embargo to end, while also not releasing the full exploit immediately. I expect people will surely figure out how to abuse this vulnerability shortly after I send this mail, but I'm hoping that attempts to do so will be initially less effective than what we'll release on Thursday. [1] https://gitlab.gnome.org/GNOME/evince/-/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245 [2] https://github.com/mate-desktop/atril/commit/b989b7922a454ed81f8bb14786a958828513f576 [3] https://github.com/linuxmint/xreader/commit/50052eaa91c3c750c51c245799e3747495feeece [4] https://gitlab.gnome.org/GNOME/papers/-/commit/1b82bf627b4d8b414a57b55a9095e6d361799d6c
