VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026

CVE-2026-54057

CVE-2026-54057

Description

Kitty terminal prior to 0.47.3 unsanitized OSC 21 query reply allows command injection via attacker-controlled bytes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kitty terminal prior to 0.47.3 unsanitized OSC 21 query reply allows command injection via attacker-controlled bytes.

Vulnerability

Kitty versions prior to 0.47.3 contain a vulnerability in the handling of OSC 21 (color-control) query replies. The terminal reflects attacker-controlled bytes, including newlines, back into the shell's input without any sanitization. This allows an attacker to inject arbitrary commands into the terminal session. The issue is present in all versions up to and including 0.47.2, and is fixed in version 0.47.3 [1].

Exploitation

An attacker must be able to send a crafted OSC 21 query to the kitty terminal, for example by tricking a user into viewing a malicious file or connecting to a malicious server. The terminal's reply includes the attacker-controlled bytes verbatim, and because newlines are not filtered, the reply is interpreted as shell input. This is similar to the xterm vulnerabilities CVE-2008-2383 and CVE-2022-45063 [1].

Impact

Successful exploitation allows an attacker to inject arbitrary commands into the user's shell. The commands execute with the privileges of the user running kitty, leading to full compromise of the terminal session and potential further system access.

Mitigation

Upgrade to kitty version 0.47.3 or later, which fixes the issue by properly sanitizing OSC 21 query replies. No workaround is available for unpatched versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Command injection via unsanitized OSC 21 query reply

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
424fe9991b5a

Sanitise color control responses for shells that still dont use the kitty keyboard protocol

https://github.com/kovidgoyal/kittyKovid GoyalJun 9, 2026Fixed in 0.47.3via llm-release-walk
commit
1 file changed · +2 0
  • kitty/window.py+2 0 modified
    @@ -551,6 +551,8 @@ def color_control(cp: ColorProfile, code: int, value: str | bytes | memoryview =
     if isinstance(value, (bytes, memoryview)):
         value = str(value, 'utf-8', 'replace')
     responses: dict[str, str] = {}
+    # Only printable ASCII payload allowed as it is echoed back
+    value = re.sub(r'[^ -~]', '', value)
     for rec in value.split(';'):
         key, sep, val = rec.partition('=')
         if key.startswith('transparent_background_color'):

Vulnerability mechanics

Root cause

"The `color_control` function echoes unknown query keys back into the reply without stripping control characters like newline, allowing command injection into the shell's input."

Attack vector

An attacker crafts an OSC 21 escape sequence containing newline characters embedded in the query key (e.g. ]21;\nid\npwd\n=?\) and delivers it to the victim's terminal, for example by tricking them into displaying a text file with `cat`. kitty's `find_st_terminator` does not treat newline as a terminator [ref_id=1], so the raw bytes pass through. The `color_control` function [patch_id=5750826] reflects the unknown key back into the reply unchanged, and the reply is written unsanitized into the child pty (shell input) [ref_id=1]. The injected newlines submit arbitrary commands to the shell, achieving command injection.

What the fix does

The patch adds a single regex-based sanitization step in `window.py` that strips all non‑printable-ASCII bytes from the query value: `re.sub(r'[^ -~]', '', value)` [patch_id=5750826]. This removes newlines (0x0A), carriage returns, and any other control characters before the value is echoed back into the response. Because newlines are no longer present in the reply, they cannot be injected into the shell's input stream, closing the command injection path. The advisory notes this is the same class of bug as CVE-2008-2383 / CVE-2022-45063 in xterm [ref_id=1].

Preconditions

  • inputAttacker must deliver an OSC 21 escape sequence containing embedded newlines to the victim's terminal (e.g. via `cat poc.txt`)
  • configVictim's shell must still be reading from the pty when the unsanitized reply is written back

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.