CVE-2026-54055 - Vulnerability Details

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Published: 2026-06-12

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Kitty terminal versions before 0.47.2, a child process used by the file transmission protocol can create files without the O_NOFOLLOW flag. A time‑of‑check to time‑of‑use race between the symlink validation and the os.open() call allows an attacker to replace the target of a symbolic link between checks. The resulting open follows the link, enabling writes to any file the attacker can target, effectively granting local privilege escalation. The weakness is a classic TOCTOU race (CWE‑367) combined with improper symlink handling (CWE‑426) and arbitrary file write (CWE‑59).

Affected Systems

The vulnerability affects the Kitty terminal (kovidgoyal:kitty) on all platforms supported by the project. Any installation running a version older than 0.47.2 is susceptible; all releases 0.47.2 and newer include the fix.

Risk and Exploitability

The CVSS score of 5.0 indicates a moderate severity. The EPSS score of <1% suggests low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user capable of executing code in the child process of Kitty, typically normal users with access to the terminal. An attacker can construct a symlink in a writable directory that the child process will follow during file creation, enabling writes to arbitrary system paths. The attack remains local and does not require elevated privileges to execute the exploit but results in privilege escalation once the file write succeeds.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kovidgoyal

kitty

affected

Version	Status	Constraints
`< 0.47.2`	affected	—

No data.

Vendor Product Confidence Versions

Kovidgoyal

Kitty

100%

Version	Status	Scheme	Platform
`[0,0.47.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Kitty to version 0.47.2 or later to apply the security fix
If an immediate upgrade is not possible, install the patch as a separate binary and ensure that only users with the necessary clearance can run the updated version
Configure filesystem permissions to restrict write access to directories used by Kitty’s file transmission protocol, minimizing the risk that a symlink could target sensitive files

Generated by OpenCVE AI on June 12, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh

History

Fri, 12 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kovidgoyal Kovidgoyal kitty
Vendors & Products		Kovidgoyal Kovidgoyal kitty

Fri, 12 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
Title		Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol
Weaknesses		CWE-367 CWE-426 CWE-59
References		https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L'}`

Subscriptions

Kovidgoyal Kitty

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:03:17.907Z

Updated: 2026-06-12T20:03:17.907Z

Reserved: 2026-06-11T18:24:35.096Z

Link: CVE-2026-54055

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T20:16:47.450

Modified: 2026-06-12T20:16:47.450

Link: CVE-2026-54055

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T21:30:07Z

Weaknesses

CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-426
Untrusted Search Path
CWE-59
Improper Link Resolution Before File Access ('Link Following')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object