Skip to main content

Kitty terminal CVE-2026-54057

| EUVD-2026-36579 HIGH
Code Injection (CWE-94)
2026-06-12 GitHub_M
Code Injection RCE Kitty Suse
7.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local delivery of bytes to the terminal (AV:L), low complexity, no privileges on Kitty, requires user to view content and be at shell prompt (UI:R), full shell command execution yields C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:22 vuln.today

DescriptionCVE.org

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

AnalysisAI

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline characters - to be reflected back into the user's shell input via the OSC 21 (color-control) escape sequence query reply. An attacker who can cause arbitrary bytes to be written to the terminal (malicious file contents, SSH banner, log entry, web page) can inject and execute shell commands at the victim's privilege level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stage malicious OSC 21 payload in file/banner/log
Delivery
Trick victim into rendering content in Kitty
Exploit
Terminal reflects attacker bytes with newline into pty
Execution
Shell parses injected line as command
Impact
Command executes at victim's privilege level
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must be running Kitty terminal emulator at a version below 0.47.3 with an interactive shell at the prompt, and must cause attacker-controlled bytes containing a crafted OSC 21 (color-control) query sequence to be written to the terminal - typical delivery paths are `cat`/`less -r`/`tail` on a malicious file, viewing untrusted SSH login banners or MOTDs, rendering a log line written by a network-reachable service, or curl-ing a hostile web response. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H) accurately captures the trade-offs: impact is high (full shell command execution as the user) but the attack requires local delivery of bytes to the terminal (AV:L), an attack requirement (AT:P, the victim must be using a vulnerable Kitty version with a shell that processes the injected line), and passive user interaction (UI:P - simply viewing/cat-ing malicious content or connecting to a hostile SSH host is enough). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a text file (or controls an SSH login banner, a log line written by a network service, or a web response viewed via `curl`) containing a crafted OSC 21 query with embedded newlines and a shell command. When the victim views the content in a vulnerable Kitty session, Kitty replies to the OSC 21 query and reflects the attacker's bytes - including the newline and command - into the pty, causing the user's shell to execute the injected command at the next prompt with the victim's privileges.
Remediation Vendor-released patch: upgrade Kitty to version 0.47.3 or later, which sanitizes OSC 21 reply bytes; the fix and details are documented in the upstream advisory at https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all systems running Kitty terminal emulator and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42851 HIGH
7.8 Jun 12

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can wri
CVE-2026-42850 HIGH
7.4 Jun 12

Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to exec
CVE-2026-54056 HIGH
7.1 Jun 12

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite file
CVE-2026-54055 MEDIUM
5.0 Jun 12

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-54057 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy