Over the last few months, we (Patrick and I) have done a substantial amount of research into, and discussion with others about, the security risks of executable MIME handlers. This is a log of the discussions, posts, and CVEs related to this, several of which were discovered by us.
- Initial thread on the oss-security mailing list with research findings, mostly focusing on the dangers introduced by installing Wine from WineHQ upstream: oss-security - On the issue of MIME handlers that execute arbitrary code (e.g. Wine)
- CVE assigned to KDE’s Dolphin file manager, this was discovered by us, the issue has been patched: https://www.cve.org/CVERecord?id=CVE-2026-41525
- Earlier thread on oss-security talking about a very similar (now fixed) issue in Debian’s Mono package: oss-security - Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations
- CVE assigned for the Mono issue, not discovered by us, issue is patched: https://www.cve.org/CVERecord?id=CVE-2023-26314
- Bug report against Ubuntu’s Java and Mailcap packages for a vulnerability discovered by us while writing the initial thread to oss-security: Bug #2153100 “.jar MIME handler allows escaping Firefox's Snap s...” : Bugs : openjdk-25 package : Ubuntu
- Associated CVE, now fixed: https://www.cve.org/CVERecord?id=CVE-2026-10037
- Follow-up thread on oss-security reporting a related issue in PCManFM-Qt: oss-security - PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method
- CVE assigned for PCManFM-Qt, issue discovered by us, this has not been patched but has been mitigated in Kicksecure: https://www.cve.org/CVERecord?id=CVE-2026-48700
- Bug report to Wine for shipping an executable MIME handler: Making sure you're not a bot!
- CVE for Wine, discovered by us, this has not been patched upstream, but Debian has a patch already that has been integrated for some years: https://www.cve.org/CVERecord?id=CVE-2026-48831
- Email to XDG FreeDesktop mailing list proposing a spec change to separate executable MIME handlers from non-executable handlers: Fixing security issues with MIME handler registration in the Desktop Entry spec
- More formal change proposal for the desktop file specification and ensuing discussion: Making sure you're not a bot!
- Thread on fedora-devel mailing list discussing the issue: Making sure you're not a bot!
Further conversations about this should be edited into this post or posted underneath as new posts. (I think we traditionally do new posts, but I’d kind of like to use edits for this to keep all of the links in one place.)