CVE-2026-54055
Received Received - Intake
Local Privilege Escalation in Kitty Terminal via TOCTOU Race Condition

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-54055
EUVD
EUVD-2026-36556
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kitty kitty to 0.47.2 (exc)
kovidgoyal kitty to 0.47.2 (exc)
kovidgoyal kitty 0.47.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can exploit a TOCTOU (Time-of-Check-Time-of-Use) race condition. Specifically, the issue arises because the file open call does not use the O_NOFOLLOW flag, allowing an attacker to create a symlink between the initial file validation and the actual file creation. This lets the attacker write to arbitrary files on the filesystem by redirecting writes through the symlink.

The vulnerability affects versions of kitty prior to 0.47.2 and allows bypassing the transfer confirmation prompt, potentially overwriting important files such as ~/.bashrc with the user's permissions.

Compliance Impact

The vulnerability in kitty's file transmission protocol allows a child process to write to arbitrary files by exploiting a TOCTOU race condition, potentially causing unauthorized file modifications.

Such unauthorized file writes could lead to data integrity issues, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data integrity and prevention of unauthorized data modification.

However, the vulnerability does not involve privilege escalation or direct data confidentiality breaches, but the integrity loss could still pose compliance risks depending on the data affected.

Impact Analysis

This vulnerability can lead to high integrity loss by allowing an attacker to overwrite or corrupt arbitrary files on the filesystem. Although it does not escalate privileges, it can cause significant damage by modifying critical user files, potentially affecting system behavior or user environment.

Detection Guidance

This vulnerability involves a TOCTOU race condition in kitty's file transmission protocol where a child process can write to arbitrary files by exploiting symlink following during file creation.

Detection would involve monitoring for unauthorized file writes or modifications, especially to sensitive files like ~/.bashrc, that occur during file transmission operations in kitty versions prior to 0.47.2.

Since the issue is related to symlink exploitation, you can check for suspicious symlink creations or modifications in directories used by kitty during file transmission.

Specific commands are not provided in the resources, but general approaches include:

  • Use filesystem monitoring tools like inotifywait to watch for symlink creation or file modifications in kitty's working directories.
  • Check for unexpected changes to critical user files (e.g., ~/.bashrc) using commands like `ls -l ~/.bashrc` or `stat ~/.bashrc` to verify timestamps and ownership.
  • Audit running processes and child processes spawned by kitty to detect suspicious activity.
Mitigation Strategies

The primary mitigation is to upgrade kitty to version 0.47.2 or later, where the vulnerability has been fixed by adding the O_NOFOLLOW flag to the file open call.

Until the upgrade can be applied, avoid using the file transmission feature in kitty or restrict its use to trusted environments to minimize risk.

Additionally, monitor for suspicious symlink creations and unauthorized file writes as a temporary detection measure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart