Remote Code Execution Vulnerability in Atril's EPUB ebook parsing
Description
A path traversal vulnerability in Atril Document Viewer prior to 1.26.2 allows arbitrary file write, enabling remote command execution via crafted EPUB files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in Atril Document Viewer prior to 1.26.2 allows arbitrary file write, enabling remote command execution via crafted EPUB files.
Vulnerability
A path traversal vulnerability exists in the EPUB parsing code of Atril Document Viewer (the default document reader of the MATE desktop environment) in versions prior to 1.26.2. The extract_one_file function in the EPUB handler does not validate that extracted filenames remain within the intended temporary directory, allowing an attacker to write files to arbitrary locations on the filesystem via a crafted EPUB archive [1][2].
Exploitation
An attacker must craft a malicious EPUB file containing entries with path traversal sequences (e.g., ../) in the filenames. The victim must open this file in Atril. No special network position or authentication is required; only user interaction (opening the document) is needed. Upon extraction, Atril writes the attacker-controlled content to the path specified by the traversal, outside the temporary extraction directory [1].
Impact
Successful exploitation allows an attacker to write arbitrary files (but cannot overwrite existing files) to any location the victim user can write. This can be leveraged for remote command execution by, for example, placing a malicious .desktop file in ~/.config/autostart/, writing to ~/.ssh/authorized_keys, or overwriting shell startup scripts like ~/.bash_profile. The attacker gains code execution at the victim's privilege level, leading to full system compromise [1].
Mitigation
The vulnerability is fixed in Atril version 1.26.2, released on 2024-01-25 [3]. The fix adds a path validation check using g_file_get_relative_path to reject filenames that escape the temporary directory [2]. Users should update to 1.26.2 or later. No workaround is available for earlier versions. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path sanitization in EPUB entry extraction allows directory traversal, enabling arbitrary file write."
Attack vector
An attacker crafts a malicious EPUB document containing ZIP entries whose filenames embed directory traversal sequences (e.g., `../../../../proc/self/cwd/.config/autostart/exploit.desktop`). When a victim opens the document in Atril, the viewer extracts those entries and writes files to the attacker-controlled path. Because the traversal can reach `/proc/self/cwd/`, which resolves to the victim's current working directory (typically inside their home folder), the attacker does not need to know the victim's username. The crafted document can be renamed with a .pdf extension and still trigger the same code path [ref_id=1].
Affected code
The vulnerability resides in Atril's EPUB ebook parsing logic. The advisory does not specify exact function or file names, but the flaw is in how Atril extracts file paths from entries inside a crafted EPUB archive. The researcher notes that Atril reads both EPUB and PDF documents, and a renamed .epub file (e.g., something.pdf) is still processed as an EPUB, so the same code path is reachable via a PDF extension.
What the fix does
Version 1.26.2 of Atril contains a patch for this vulnerability [ref_id=1]. The advisory does not include a diff or describe the specific code change, but the fix presumably validates or sanitizes file paths extracted from EPUB entries to reject directory traversal sequences. No further technical details about the patch are provided in the available references.
Preconditions
- inputThe victim must open a crafted EPUB (or PDF-renamed EPUB) document using Atril.
- configThe victim's user account must have write permissions to the target directory (e.g., ~/.config/autostart/, ~/.ssh/).
- authNo authentication is required beyond the victim's local user session.
- networkThe attacker must deliver the crafted document to the victim (e.g., via email, download, USB).
Reproduction
The advisory provides a proof-of-concept reproduction [ref_id=1]: (1) Take a sample EPUB file and rename it POC.epub. (2) Create a placeholder file: `echo Desktop > XXYXXYXXYXXYprocYselfYcwdYDesktopYpwnd.txt`. (3) Add the placeholder to the EPUB: `zip -u POC.epub XXYXXYXXYXXYprocYselfYcwdYDesktopYpwnd.txt`. (4) Replace the placeholder name with a traversal path: `sed -i s/"XXYXXYXXYXXYprocYselfYcwdYDesktopYpwnd.txt"/"..\/..\/..\/..\/proc\/self\/cwd\/Desktop\/pwnd.txt"/g POC.epub`. (5) Copy the crafted EPUB to a PDF: `cp POC.epub POC.pdf`. When the victim opens either file from within their home directory, the file `pwnd.txt` is written to their Desktop.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50mitrex_refsource_MISC
- github.com/mate-desktop/atril/releases/tag/v1.26.2mitrex_refsource_MISC
- github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/06/msg00003.htmlmitre
News mentions
0No linked articles in our index yet.