CVE-2026-54055

medium

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

References

https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-06-12

Risk Information

CVSS v2

Base Score: 4.5

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:C/A:P

Severity: Medium

CVSS v3

Base Score: 5

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L