SecuriTricks - CVE-2026-54055

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Product(s) Impacted

Vendor	Product	Versions
Kitty	Kitty	<0.47.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	kitty	kitty	<0.47.2	/	/	/	/	/	/	/

References

https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh

CVSS Score

5.0 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L

View Vector String

Timeline

Published: June 12, 2026, 8:16 p.m.
Last Modified: June 12, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-54055