CVE-2026-54057: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-54057 is a command injection vulnerability in kitty, a cross-platform GPU-based terminal emulator, caused by unsanitized reflection of attacker-controlled bytes in OSC 21 (color-control) query replies. Affecting all versions up to and including 0.47.2, the flaw allows arbitrary shell commands to be injected into the user's shell input stream. It was disclosed on June 12, 2026, and shares the same class of vulnerability as CVE-2008-2383 and CVE-2022-45063 (xterm). The CVSS v4.0 base score is 7.3 (High) (GitHub Advisory, Red Hat Bugzilla).

The root cause is improper neutralization of escape, meta, or control sequences (CWE-150) and improper control of code generation (CWE-94) in kitty's color_control function (kitty/window.py). When kitty processes an OSC 21 query, it reflects unknown query keys — including attacker-supplied newline characters — directly back into the child PTY (the shell's input) via send_escape_code_to_child without sanitization. The OSC parser (vt-parser.c) only terminates sequences on BEL or ESC, meaning embedded newlines pass through unfiltered; when the reply is written to the shell's input, the newline acts as a command delimiter, causing the shell to execute the injected content. A public proof-of-concept is included in the GitHub advisory: printf '\033]21;\nid\npwd\n=?\033\\' > poc.txt; cat poc.txt is sufficient to trigger arbitrary command execution (GitHub Advisory).

Successful exploitation allows an attacker to execute arbitrary OS commands in the context of the victim user's shell session, with full confidentiality, integrity, and availability impact on the vulnerable system. Because simply cat-ing a maliciously crafted text file in kitty is sufficient to trigger execution, the attack surface includes any scenario where a user views attacker-controlled content in the terminal — such as log files, downloaded files, or remote data piped through the terminal. This can lead to data exfiltration, installation of malware, or complete compromise of the user's account and local system (GitHub Advisory, Red Hat Bugzilla).

1. Craft malicious file: Create a file embedding an OSC 21 escape sequence with injected newlines and shell commands, e.g., printf '\033]21;\nid\npwd\npython3 -c "print(print.__self__)"\nopen -a Calculator\n=?\033\\' > poc.txt.
2. Deliver the file: Place the malicious file where the victim is likely to view it — e.g., as a log file, README, or any text artifact the victim might cat in their kitty terminal.
3. Trigger execution: The victim opens kitty (version ≤ 0.47.2) and runs cat poc.txt or otherwise displays the file content in the terminal.
4. Command injection occurs: kitty processes the OSC 21 sequence, reflects the attacker-controlled bytes (including newlines) unsanitized into the shell's PTY input; the shell interprets each newline-delimited string as a separate command and executes them.
5. Achieve objective: The injected commands run with the victim user's privileges, enabling data exfiltration, reverse shell establishment, or further system compromise (GitHub Advisory).

• File System: Presence of files containing OSC 21 escape sequences with embedded newlines (\033]21; followed by \n before the =? terminator); unexpected scripts or binaries created in user home or temp directories following terminal activity.
• Logs: Shell history entries showing unexpected commands (e.g., id, pwd, reverse shell one-liners) that the user did not intentionally type; terminal session logs capturing OSC 21 sequences with embedded newlines.
• Process: Unexpected child processes spawned by the user's shell (e.g., python3, curl, wget, bash -i) immediately after a cat or file-viewing command in kitty; unusual network connections originating from the user's shell process.
• Network: Outbound connections to unknown external IPs from the user's workstation shortly after terminal file-viewing activity (GitHub Advisory).

Upgrade kitty to version 0.47.3 or later, which sanitizes OSC 21 query replies to prevent injection of newlines and other control characters into the shell's input. Until patched, users should avoid cat-ing or displaying untrusted files in kitty, and should avoid piping untrusted remote data through the terminal. No configuration-based workaround is documented; upgrading is the only reliable fix (GitHub Advisory, Red Hat Bugzilla).

The vulnerability was reported by security researcher hyuunnn and acknowledged by the kitty maintainer (kovidgoyal), who published the advisory and patch on June 12, 2026. Red Hat opened a high-severity bug tracking entry (Bugzilla #2488553) for the issue. The advisory explicitly notes the similarity to the well-known xterm vulnerabilities CVE-2008-2383 and CVE-2022-45063, contextualizing it as a recurring class of terminal emulator security issue (GitHub Advisory, Red Hat Bugzilla).