Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-54055— Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol

CVSS 5.0 · Medium EPSS 0.07% · P0

Affected Version Matrix 1

VendorProductVersion RangeStatus
kovidgoyalkitty< 0.47.2affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-54055

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Source: NVD (National Vulnerability Database)
Vulnerability Title
kovidgoyal kitty 竞争条件问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Kovidgoyal kitty是Kovidgoyal个人开发者开源的一个基于Python的GPU终端仿真软件。 该软件可提供基本的终端功能,并且基于GPU渲染可降低系统负载,采用OpenGL进行渲染,可支持在Linux、Mac上使用。 kovidgoyal kitty 0.47.2之前版本存在安全漏洞,该漏洞源于文件传输协议中符号链接验证和文件创建之间存在TOCTOU竞争条件,`os.open()`调用未使用`O_NOFOLLOW`,可能导致本地权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
kovidgoyalkitty < 0.47.2 -

II. Public POCs for CVE-2026-54055

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-54055

登录查看更多情报信息。

Vendor Advisories for CVE-2026-54055 (1)

Same Patch Batch · kovidgoyal · 2026-06-12 · 5 CVEs total

CVE-2026-428517.8 HIGH@kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE
CVE-2026-540567.6 HIGHKitty has an arbitrary file overwrite via symlink following in `kitten dnd` remote drop st
CVE-2026-42850Kitty has a shell command injection
CVE-2026-54057Kitty vulnerable to command injection via unsanitized OSC 21 query reply

IV. Related Vulnerabilities

Same product: kitty
Same vendor: kovidgoyal
Same weakness: CWE-59

V. Comments for CVE-2026-54055

No comments yet

Leave a comment