Skip to main content

kitty terminal EUVD-2026-36556

| CVE-2026-54055 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-06-12 security-advisories@github.com
Privilege Escalation Kitty Suse
5.0
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.0 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
5.0 MEDIUM

Local-only TOCTOU race (AV:L/AC:H), requires existing session process (PR:L) and file transfer interaction (UI:R); writes cause integrity harm but no confidentiality loss.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 21:01 EUVD
Analysis Generated
Jun 12, 2026 - 20:34 vuln.today

DescriptionCVE.org

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The os.open() call used to create files does not use O_NOFOLLOW, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

AnalysisAI

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to redirect writes to attacker-controlled filesystem paths. The root cause is a missing O_NOFOLLOW flag in the os.open() call within kitty's file transmission protocol: between the initial symlink validation stat-check and the actual file open, an attacker can insert a symlink, causing the write to follow it to an arbitrary destination - a classic TOCTOU race. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local execution inside kitty terminal
Delivery
Trigger file transmission protocol write to chosen path
Exploit
Race to insert symlink at target path before os.open()
Execution
File write follows symlink to privileged destination
Persist
Overwrite sensitive file (cron, sudoers, SSH keys)
Impact
Achieve local privilege escalation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have an active child process running inside a kitty terminal session on the target system - this implies local code execution as a low-privileged user (consistent with PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.0 accurately reflects a moderate, contextually constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised child process running inside a victim's kitty terminal session initiates a file transmission protocol write targeting a benign path. During the brief window between kitty's stat() validation and the os.open() call, the attacker process creates a symlink at that path pointing to a sensitive target such as /etc/cron.d/backdoor or ~/.ssh/authorized_keys. …
Remediation The primary fix is to upgrade kitty to version 0.47.2 or later, which corrects the os.open() call to include the O_NOFOLLOW flag, preventing symlink traversal at file creation time. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42851 HIGH
7.8 Jun 12

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can wri
CVE-2026-42850 HIGH
7.4 Jun 12

Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to exec
CVE-2026-54057 HIGH
7.3 Jun 12

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline

CVE-2026-54056 HIGH
7.1 Jun 12

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite file

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-36556 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy