CVE-2026-54056
Received Received - Intake
Symlink Race Condition in Kitty Terminal

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-54056
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kitty kitty 0.47.0
kitty kitty 0.47.1
kitty kitty to 0.47.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Kitty terminal application, specifically versions 0.47.0 and 0.47.1. It involves the `kitten dnd` feature, which handles remote drag-and-drop operations. An attacker can exploit this by creating a staged symbolic link (symlink) in the temporary directory used for drag-and-drop file staging. Then, by sending a file with the same name as the symlink, the application follows the symlink due to improper use of file open flags (missing O_NOFOLLOW), allowing the attacker to overwrite or truncate arbitrary files writable by the local user outside the intended staging directory.

This issue arises because duplicate remote basenames are not de-duplicated on case-sensitive filesystems, enabling the symlink attack. The vulnerability is fixed in version 0.47.2.

Impact Analysis

This vulnerability can allow a remote attacker to overwrite or truncate arbitrary files that the local Kitty user has write access to. This can lead to unauthorized modification or destruction of important files, potentially causing data loss, corruption, or disruption of normal operations.

Because the attacker can write files outside the intended staging directory, they might manipulate configuration files, scripts, or other sensitive data, which could be leveraged for further attacks or to compromise system integrity.

Mitigation Strategies

To mitigate this vulnerability, upgrade kitty to version 0.47.2 or later, as this version patches the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54056. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart