First published 18 June 2026
CVSS:3.1: 7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A security vulnerability has been found in Evince, a PDF viewer used in IGEL OS. This affects the following product versions:
-
IGEL OS 12
-
IGEL OS 11
Details
It has been discovered that a weakness in the Evince PDF viewer can enable remote code execution (RCE). To achieve this, an attacker must trick the user into opening a fabricated PDF with Evince. Commands such as a reverse shell can then be run with the user’s permissions. This is tracked as CVE-2026-46529 and rated as high.
Exploit code for this issue is publicly available on the Internet.
Update Instructions
-
OS 12: Upgrade the Evince app to version 43.1.2 BUILD 3.0 (with Debian security patch) or newer as soon as it is available on the IGEL App Portal.
-
OS 11: IGEL OS 11 will reach End of Maintenance (EOM) in June 2026. To continue receiving security updates, maintenance releases, and technical support, we recommend upgrading to IGEL OS 12.
References
-
CVE-2026-46529: https://www.cve.org/CVERecord?id=CVE-2026-46529