CVE-2026-54055
MEDIUMKitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol
Title source: cnaDescription
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh
Scores
CVSS v3
5.0
EPSS
0.0007
EPSS Percentile
0.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-367
CWE-426
CWE-59
Status
published
Products (1)
kovidgoyal/kitty
< 0.47.2
Published
Jun 12, 2026
Tracked Since
Jun 13, 2026