Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol
CVE-2026-54055

5MEDIUM

Key Information:

Vendor: Kovidgoyal
Status: Kitty
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54055?

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The os.open() call used to create files does not use O_NOFOLLOW, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Affected Version(s)

kitty < 0.47.2

References

https://github.com/kovidgoyal/kitty/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54055 Data

JSON

Kovidgoyal

What is CVE-2026-54055?

Affected Version(s)

References

CVSS V3.1

Timeline