2488556 – (CVE-2026-54055) CVE-2026-54055 kitty: Kitty: Local privilege escalation via TOCTOU race condition in file transmission protocol

Bug 2488556 (CVE-2026-54055) - CVE-2026-54055 kitty: Kitty: Local privilege escalation via TOCTOU race condition in file transmission protocol

Summary: CVE-2026-54055 kitty: Kitty: Local privilege escalation via TOCTOU race condi...

Keywords:
Status:	NEW
Alias:	CVE-2026-54055
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488605 2488607
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 21:02 UTC by OSIDB Bzimport
Modified:	2026-06-12 22:20 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 21:02:21 UTC

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.