Local Privilege Escalation Vulnerability in Kitty Terminal by Kovid Goyal
CVE-2026-54055

5MEDIUM

Key Information:

Vendor

Kovidgoyal

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54055?

Kitty, a cross-platform GPU based terminal, is susceptible to a local privilege escalation vulnerability due to a flaw in its file transmission protocol. Versions prior to 0.47.2 allow a child process within the terminal to exploit a TOCTOU (Time-of-Check-Time-of-Use) race condition. This occurs because the os.open() function does not employ the O_NOFOLLOW flag, permitting an adversary to create a symlink that diverts a file write operation to an arbitrary location on the filesystem. The issue has been addressed in version 0.47.2.

Affected Version(s)

kitty < 0.47.2

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.