CVE-2026-54055
Analyzed Analyzed - Analysis Complete

Local Privilege Escalation in Kitty Terminal via TOCTOU Race Condition

Vulnerability report for CVE-2026-54055, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kovidgoyal kitty to 0.47.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in kitty's file transmission protocol allows a child process to write to arbitrary files by exploiting a TOCTOU race condition, potentially causing unauthorized file modifications.

Such unauthorized file writes could lead to data integrity issues, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data integrity and prevention of unauthorized data modification.

However, the vulnerability does not involve privilege escalation or direct data confidentiality breaches, but the integrity loss could still pose compliance risks depending on the data affected.

Executive Summary

This vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can exploit a TOCTOU (Time-of-Check-Time-of-Use) race condition. Specifically, the issue arises because the file open call does not use the O_NOFOLLOW flag, allowing an attacker to create a symlink between the initial file validation and the actual file creation. This lets the attacker write to arbitrary files on the filesystem by redirecting writes through the symlink.

The vulnerability affects versions of kitty prior to 0.47.2 and allows bypassing the transfer confirmation prompt, potentially overwriting important files such as ~/.bashrc with the user's permissions.

Impact Analysis

This vulnerability can lead to high integrity loss by allowing an attacker to overwrite or corrupt arbitrary files on the filesystem. Although it does not escalate privileges, it can cause significant damage by modifying critical user files, potentially affecting system behavior or user environment.

Detection Guidance

This vulnerability involves a TOCTOU race condition in kitty's file transmission protocol where a child process can write to arbitrary files by exploiting symlink following during file creation.

Detection would involve monitoring for unauthorized file writes or modifications, especially to sensitive files like ~/.bashrc, that occur during file transmission operations in kitty versions prior to 0.47.2.

Since the issue is related to symlink exploitation, you can check for suspicious symlink creations or modifications in directories used by kitty during file transmission.

Specific commands are not provided in the resources, but general approaches include:

  • Use filesystem monitoring tools like inotifywait to watch for symlink creation or file modifications in kitty's working directories.
  • Check for unexpected changes to critical user files (e.g., ~/.bashrc) using commands like `ls -l ~/.bashrc` or `stat ~/.bashrc` to verify timestamps and ownership.
  • Audit running processes and child processes spawned by kitty to detect suspicious activity.
Mitigation Strategies

The primary mitigation is to upgrade kitty to version 0.47.2 or later, where the vulnerability has been fixed by adding the O_NOFOLLOW flag to the file open call.

Until the upgrade can be applied, avoid using the file transmission feature in kitty or restrict its use to trusted environments to minimize risk.

Additionally, monitor for suspicious symlink creations and unauthorized file writes as a temporary detection measure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart