Skip to main content

Kitty terminal EUVD-2026-36578

| CVE-2026-54056 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-12 GitHub_M
RCE Kitty Suse
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
6.9 MEDIUM

Network-delivered drag source with no kitty-side auth (PR:N); AC:H due to required case-collision race and case-sensitive FS; UI:R for the drag gesture; scope change with I:H/A:L file overwrite, no confidentiality loss.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
CVSS changed
Jun 16, 2026 - 16:07 NVD
7.6 (HIGH) 7.1 (HIGH)
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:22 vuln.today

DescriptionNVD

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses utils.CreateAt() / openat(O_RDWR|O_CREAT|O_TRUNC) without O_NOFOLLOW, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects kitten dnd remote drag-and-drop staging, uses different vulnerable code (kittens/dnd/drop.go and tools/utils/file_at_fd.go), and reproduces on commit 4aa4a5c0567a92553a8c20a88a4352da637fca5d, after the file-transfer O_NOFOLLOW fix. Version 0.47.2 patches the issue.

AnalysisAI

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite files writable by the local kitty user via a TOCTOU symlink race in kitten dnd staging. The flaw stems from openat() calls lacking O_NOFOLLOW when handling duplicate remote basenames on case-sensitive filesystems, letting an attacker-staged symlink redirect writes outside the staging directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Host malicious remote drag source
Delivery
Victim drags payload into kitty
Exploit
Send text/uri-list with case-colliding entries
Install
Stage symlink to target file
C2
Second write follows symlink via openat without O_NOFOLLOW
Execute
Overwrite arbitrary user-writable file
Impact
Code execution on next shell login
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires the victim to be running Kitty 0.47.0 or 0.47.1 on a case-sensitive filesystem and to actively perform a drag-and-drop operation from an attacker-controlled remote source into a kitty window with 'kitten dnd' handling the drop. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L yields 7.6 (High), with the scope change reflecting writes escaping the staging directory to arbitrary user-owned files. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user drags a file from an attacker-controlled remote source (e.g., a hostile web page or remote desktop session) into a kitty terminal running 0.47.0/0.47.1. The malicious source sends a text/uri-list payload containing two same-basename entries that differ only in case - the first creates a symlink in the staging directory pointing to ~/.bashrc, and the second writes a regular file with the same basename, which openat() follows through the symlink and truncates/overwrites the victim's shell rc, yielding code execution on the next shell launch.
Remediation Vendor-released patch: upgrade to Kitty 0.47.2, which adds the missing O_NOFOLLOW semantics to the dnd staging open path; see https://github.com/kovidgoyal/kitty/security/advisories/GHSA-r892-cv7q-fw8x for the fix commit and details. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory Kitty deployments and identify systems running versions 0.47.0 or 0.47.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42851 HIGH
7.8 Jun 12

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can wri
CVE-2026-42850 HIGH
7.4 Jun 12

Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to exec
CVE-2026-54057 HIGH
7.3 Jun 12

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline

CVE-2026-54055 MEDIUM
5.0 Jun 12

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to

Vendor StatusVendor

SUSE

Severity: Important

Share

EUVD-2026-36578 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy