MATE Desktop Atril Document Viewer EPUB Parsing Flaw Enables Remote Code Execution
A heap-based buffer overflow in MATE Desktop's Atril document viewer (CVE-2026-52849) allows remote code execution via malicious EPUB files.
The Zero Day Initiative has disclosed a critical heap-based buffer overflow vulnerability in MATE Desktop's Atril document viewer. Tracked as CVE-2026-52849, the flaw resides in the software's EPUB file parsing routine, enabling remote attackers to execute arbitrary code on affected installations. User interaction is required—victims must open a malicious file or visit a compromised web page—but exploitation can lead to full system compromise.
The vulnerability carries a CVSS score of 7.8, indicating a high-severity risk. While remote code execution is possible, the attack complexity is elevated, and the requirement for user interaction moderates the overall threat level. However, given Atril's widespread use across Linux distributions as a default document viewer for the MATE desktop environment, the potential attack surface is substantial.
Atril is the official document viewer for MATE Desktop, a popular desktop environment forked from GNOME 2 and used by multiple Linux distributions including Ubuntu MATE, Linux Mint, and Debian. The application supports various document formats such as PDF, PostScript, DjVu, and EPUB. The disclosed vulnerability specifically targets the EPUB parser, a format increasingly popular for digital publications and open-source document distribution.
No patch has been announced as of the advisory publication date. The ZDI advisory notes that the vulnerability was reported privately, but details have now been released to the public. Users and system administrators are advised to exercise caution when opening EPUB files from untrusted sources, to monitor the MATE project's issue tracker for patch announcements, and to consider using alternative document viewers for EPUB content until a fix is available.
This disclosure adds to a growing list of memory corruption vulnerabilities in document viewers and file parsers, where complex file formats frequently harbor exploitable flaws. The heap-based buffer overflow in Atril underscores the ongoing challenge of securing legacy codebases against increasingly sophisticated attack techniques.