What is the CVSS score of CVE-2026-33633?

CVE-2026-33633 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Kitty terminal are affected by CVE-2026-33633?

Kitty terminal emulator versions 0.46.2 and earlier contain a high-severity heap buffer overflow in the graphics protocol handler that can crash the application or enable code execution when…. A patch is available.

Kitty terminal CVE-2026-33633

EUVD-2026-30964 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-05-19 GitHub_M

Buffer Overflow Heap Overflow

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 19, 2026 - 18:03 EUVD

Source Code Evidence Fetched

May 19, 2026 - 18:00 vuln.today

Analysis Generated

May 19, 2026 - 18:00 vuln.today

DescriptionNVD

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.

AnalysisAI

Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. …

RemediationAI

24 hours: Identify all systems running Kitty versions 0.46.2 or earlier. 7 days: Develop and test deployment plan to upgrade to Kitty 0.47.0 or later; implement input validation controls on terminal data sources. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33633 vulnerability details – vuln.today

Back

Kitty terminal CVE-2026-33633

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code