CVE-2026-54055

5.0 MEDIUM

Kitty is a cross-platform GPU based terminal

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CVSS: 5.0 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
CWE: CWE-367, CWE-426, CWE-59

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-54230 — A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport (7.0 HIGH)
CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
CVE-2026-53822 — OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution (8.8 HIGH)