CVE-2026-54056: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-54056 is a symlink-following vulnerability (CWE-59) in the kitten dnd drag-and-drop feature of Kitty, a cross-platform GPU-based terminal emulator. It affects versions 0.47.0 and 0.47.1, allowing a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local Kitty user. The vulnerability was published on June 12, 2026, with a patch available in version 0.47.2. It carries a CVSS v3.1 base score of 7.6 (High) (GitHub Advisory, Red Hat).

The root cause is improper link resolution before file access (CWE-59) in kittens/dnd/drop.go and tools/utils/file_at_fd.go. When processing remote text/uri-list drag-and-drop operations on case-sensitive filesystems, duplicate remote basenames are not de-duplicated — the deduplication logic only activates on case-insensitive filesystems. An attacker can first send a symlink entry with a chosen name (e.g., same-name) pointing to an arbitrary target outside the staging directory, then send a regular-file entry with the identical basename. The subsequent utils.CreateAt() call invokes openat(O_RDWR|O_CREAT|O_TRUNC) without the O_NOFOLLOW flag, causing it to follow the attacker-controlled symlink and write file contents to the symlink's target outside the staging directory. Critically, the --confirm-drop-overwrite protection runs only after the write has already occurred, rendering it ineffective. A PoC test (TestRemoteDnDDuplicateSymlinkRegularWriteEscapesStaging) was included in the advisory and confirmed to pass on commit 4aa4a5c0567a92553a8c20a88a4352da637fca5d (GitHub Advisory).

A low-privileged remote attacker who can act as a malicious drag-and-drop source can overwrite or truncate any file writable by the local Kitty user, breaking the intended staging-directory isolation boundary. Practical targets include shell startup files (e.g., .bashrc, .zshrc), application configuration files, SSH authorized keys, or project files — any of which could be leveraged for privilege escalation or persistent code execution within the user's context. The vulnerability does not require Kitty to run as root, so impact is bounded to the local user's privileges, but integrity impact is rated High and availability impact is Low due to the potential for file corruption (GitHub Advisory, Red Hat).

1. Setup malicious DnD server: The attacker controls a remote system capable of acting as a drag-and-drop source over SSH or a similar channel supported by kitten dnd.
2. Identify target file: The attacker selects an arbitrary file writable by the local Kitty user (e.g., ~/.bashrc, ~/.ssh/authorized_keys, or a user-writable script) as the symlink target.
3. Send symlink entry: The attacker sends a remote text/uri-list drop containing a symlink entry (cmd.Xp == 1) with a chosen basename (e.g., same-name) whose target resolves to the desired file outside the staging directory. Kitty stages this as a symlink in the temporary staging directory.
4. Send duplicate regular-file entry: The attacker immediately sends a second remote entry with the identical basename (same-name) but as a regular file (cmd.Xp == 0) containing the malicious payload (e.g., a backdoored shell command).
5. Trigger symlink follow: Because the staging directory on a case-sensitive Linux filesystem does not de-duplicate the basename, utils.CreateAt() opens the existing same-name path using openat(O_RDWR|O_CREAT|O_TRUNC) without O_NOFOLLOW, following the symlink to the target file outside staging.
6. File overwritten: The attacker's payload is written to the target file (e.g., appending a malicious command to ~/.bashrc). The --confirm-drop-overwrite prompt fires only after this write has already completed, providing no protection.
7. Achieve persistence/code execution: On the next time the victim user opens a shell or the targeted application loads its configuration, the attacker's injected code executes (GitHub Advisory).

• File System: Unexpected symlinks appearing in Kitty's temporary DnD staging directory (typically under /tmp) pointing to files outside the staging path; unexpected modification timestamps on user configuration files (e.g., ~/.bashrc, ~/.zshrc, ~/.ssh/authorized_keys) coinciding with a drag-and-drop session.
• Logs: System audit logs (auditd) showing openat syscalls with O_RDWR|O_CREAT|O_TRUNC flags resolving through a symlink to a path outside the expected staging directory, originating from the Kitty process.
• Process: Kitty process (kitty) performing file writes to paths outside its expected temporary staging directory during or shortly after a kitten dnd session.
• Network: Unusual or unexpected remote drag-and-drop sessions initiated from untrusted SSH hosts, particularly those sending multiple entries with identical basenames in a text/uri-list payload (GitHub Advisory).

The primary remediation is to upgrade Kitty to version 0.47.2 or later, which patches the issue by properly handling duplicate remote DnD basenames and adding O_NOFOLLOW protection to staging writes (GitHub Advisory). As a workaround for users unable to upgrade immediately, avoid using kitten dnd for remote drag-and-drop operations from untrusted sources. Additionally, restricting drag-and-drop operations to trusted SSH hosts and monitoring temporary staging directories for unexpected symlinks can reduce risk. The --confirm-drop-overwrite flag does not mitigate this vulnerability, as the unsafe write occurs before the confirmation prompt (Red Hat).

The vulnerability was reported by researcher sondt99 and credited in the GitHub Security Advisory. A Mastodon post from @thehackerwire referenced the CVE shortly after disclosure. Red Hat tracked the issue via Bugzilla (Bug 2488555) and assigned it a high severity rating. No significant broader media coverage or notable community controversy has been identified beyond standard vulnerability tracking (GitHub Advisory, Red Hat Bugzilla).