A command-injection vulnerability has been disclosed affecting multiple GTK-based PDF readers including Evince, Atril, and Xreader. Attackers can craft polyglot PDF files that are simultaneously valid ELF binaries. When a user opens such a PDF and clicks a malicious embedded link, the exploit abuses the `--gtk-module` command-line flag to load the PDF itself as a GTK module, enabling arbitrary code execution. The vulnerability is less severe in Papers because GTK 4 removed the `--gtk-module` flag. Proof-of-concept exploit scripts are included in the disclosure.
Sort: