CVE-2026-54055 MEDIUM

CVE-2026-54055: Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol

Vendor Kovidgoyal
Product kitty
Weakness CWE-59
Published June 12, 2026
Last update June 15, 2026

CVSS base score

5.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated