ZDI-26-360: RCE Vulnerability in MATE’s Atril Document Viewer Patched in Version 1.26.4

The Atril Document Viewer, the standard document component for the MATE Linux desktop environment, contains a heap-based buffer overflow vulnerability in its EPUB file parsing logic that enables remote code execution (RCE). Trend Micro’s Zero Day Initiative (ZDI) published a coordinated advisory, ZDI-26-360 (associated with CVE-2026-52849), today, June 11, 2026. The flaw is already patched; the fix was merged on June 2, and version atril 1.26.4 was released to provide coverage for distributions that have not yet transitioned to the 1.28 branch.

The Flaw: Unvalidated Byte-by-Byte Copying

The vulnerability resides in how Atril extracts the path from the XML attributes of an EPUB container. The ZDI advisory describes the mechanism precisely:

"The specific flaw exists within the parsing of XML attributes within epub files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer." — ZDI-26-360 advisory

The vulnerable code performed a manual byte-by-byte copy of the full-path attribute value into a heap-allocated buffer without verifying if the actual length exceeded the buffer's limits. An EPUB file with an artificially long path overwrites adjacent memory, leading to a heap overflow and subsequent arbitrary code execution within the Atril process context.

ZDI classifies the vulnerability as Remote Code Execution (RCE), though it requires the user to open the document. This vector—an e-book that appears legitimate—is particularly effective because EPUB files are routinely exchanged and perceived as benign, unlike executables or Office macros.

The Patch: Transitioning to g_strndup with Safe Limits

The fix was developed publicly on GitHub via Pull Request #700, opened by maintainer vkareh. The surgical update includes 22 additions and 12 deletions. The core change is described in the commit:

"Replace manual byte-by-byte copy loop with g_strndup when extracting the directory component from the epub container's full-path attribute" — vkareh, PR #700

Replacing the manual copy loop with g_strndup—a GLib function that duplicates a string with an explicit length limit—eliminates the attack surface by introducing an intrinsic dimensional constraint. In addition to the routine replacement, the patch adds a file existence check prior to parsing, further reducing the potential for path manipulation.

The PR review confirmed the effectiveness of the fix with a concrete test case. User lukefromdc verified that a test_longpath.epub file, which previously caused malloc errors and GUI crashes on the master branch, is now handled safely: Atril starts normally and simply refuses to open the malformed document. This demonstrates that the patch blocks both the crash and the exploitation vector.

Disclosure Timeline and Coordination

The vulnerability was managed through coordinated disclosure. According to the ZDI advisory, the report was submitted to the vendor on May 20, 2026; the public advisory, with the patch already integrated, was scheduled for June 11, 2026. This three-week window allowed the MATE team to prepare, test, and release the fix prior to public disclosure.

Version atril 1.26.4 was released specifically to include the fix for distributions maintaining the stable 1.26 branch. As vkareh stated in the PR: "I just released 1.26.4 with these changes included due to some distros not shipping 1.28". This detail is critical for system administrators managing conservative desktop environment deployments.

Recommended Actions

• Update atril to version 1.26.4 or later, available in official MATE repositories and distributions that have integrated the backport.
• Verify the installed version using atril --version or the system package manager; builds from the master branch prior to June 2 are vulnerable.
• Exercise caution with EPUB files received via email or untrusted downloads, as they can serve as RCE vectors upon opening.
• Monitor Linux distribution updates if using MATE in enterprise or institutional environments; the severity of the flaw justifies prioritized patching.

Atril and the Traditional Desktop Attack Surface

The discovery of an RCE in MATE’s EPUB viewer highlights an ecosystem that is often overlooked. While GNOME and its Evince viewer dominate Linux desktop security coverage, MATE remains the default choice for numerous conservative distributions—from Linux Mint MATE to enterprise, educational, and governmental systems that prioritize stability and a small footprint. Atril, a fork of Evince, inherits a mature codebase that remains susceptible to parsing flaws in complex document formats.

EPUB files are ZIP-based structures that encapsulate XML, CSS, fonts, and multimedia resources. The complexity of parsing these components—containers, manifests, spines, and metadata—creates a significant attack surface even in seemingly passive desktop applications. The requirement for manual user interaction does not diminish the risk; social engineering via electronic documents is a well-established threat, and EPUBs are distributed through channels—email, web, and stores—that normalize their exchange.

The CVE-2026-52849 record is currently in a reserved state with the assigning CNA; full details have not yet populated the MITRE database. While the ZDI advisory does not explicitly list a CVSS score, the technical description—RCE via heap overflow with user interaction—suggests high severity. There are currently no reports of this vulnerability being exploited in the wild, as the early patch and coordinated disclosure successfully mitigated the exposure window.

Information verified against cited sources and current as of the time of publication.

Sources

• http://www.zerodayinitiative.com/advisories/ZDI-26-360/
• http://www.zerodayinitiative.com/advisories/published/
• https://www.cve.org/CVERecord?id=CVE-2026-52849
• http://www.zerodayinitiative.com/advisories/upcoming/
• https://github.com/mate-desktop/atril/pull/700
• https://www.trendmicro.com/