CVE-2026-54056

Summary

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses utils.CreateAt() / openat(O_RDWR|O_CREAT|O_TRUNC) without O_NOFOLLOW, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects kitten dnd remote drag-and-drop staging, uses different vulnerable code (kittens/dnd/drop.go and tools/utils/file_at_fd.go), and reproduces on commit 4aa4a5c0567a92553a8c20a88a4352da637fca5d, after the file-transfer O_NOFOLLOW fix. Version 0.47.2 patches the issue.

Affected Software

VendorProductVersion RangeStatus
kovidgoyalkitty>= 0.47.0, < 0.47.2affected

Weaknesses

  • CWE-59: CWE-59: Improper Link Resolution Before File Access ('Link Following')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References