PatchSiren cyber security CVE debrief
CVE-2026-54055 kovidgoyal CVE debrief
A local privilege escalation vulnerability exists in Kitty, a cross-platform GPU-based terminal, in versions prior to 0.47.2. The vulnerability is caused by a Time-of-Check-Time-of-Use (TOCTOU) race condition between symlink validation and file creation in Kitty's file transmission protocol. This allows a child process running in the terminal to write to arbitrary files on the filesystem by exploiting the TOCTOU vulnerability. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
- Vendor
- kovidgoyal
- Product
- kitty
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Kitty versions prior to 0.47.2 should update to version 0.47.2 or later to mitigate this vulnerability.
Technical summary
The vulnerability has a CVSS score of 5 and a severity of MEDIUM. It requires local access, high attack complexity, low privileges, and user interaction. The vulnerability allows for high impact on integrity and low impact on availability.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Kitty to version 0.47.2 or later.
Evidence notes
The vulnerability was reported by an unknown vendor and has a trust class of official_vulnerability_database.
Official resources
-
CVE-2026-54055 CVE record
CVE.org
-
CVE-2026-54055 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-54055 was published on 2026-06-12T20:16:47.450Z and has not been modified since.