Skip to main content

Kitty Terminal CVE-2026-33642

| EUVDEUVD-2026-30968 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-05-19 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
Patch available
May 19, 2026 - 19:02 EUVD
Source Code Evidence Fetched
May 19, 2026 - 19:00 vuln.today
Analysis Generated
May 19, 2026 - 19:00 vuln.today

DescriptionGitHub Advisory

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

AnalysisAI

Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.

Technical ContextAI

Kitty is a widely deployed GPU-accelerated terminal emulator written in C by Kovid Goyal (CPE cpe:2.3:a:kovidgoyal:kitty). The vulnerability is in kitty/graphics.c, specifically the handle_compose_command() routine of Kitty's proprietary graphics protocol that lets terminals render bitmap images via escape sequences. Per CWE-190 (Integer Overflow or Wraparound), the original code declared width, height, dest_x, dest_y, src_x, and src_y as 32-bit unsigned ints and combined them in arithmetic bounds checks. Because each component is itself a full 32-bit value, sums such as dest_x + width wrap around past UINT32_MAX, making the validity check pass even when the resulting region extends far outside the source/destination image buffers. The patched code (commit e9661f0f3afb) widens these locals to uint64_t so the addition cannot overflow during validation before reaching compose_rectangles().

RemediationAI

Vendor-released patch: upgrade to Kitty 0.47.0 or later, which widens the offset arithmetic to uint64_t (commit https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34); the advisory is at https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x. Where immediate upgrade is impossible, compensating controls include avoiding cat/less/tail on untrusted files (pipe through a sanitizer such as cat -v or strings which strips control bytes), disabling automatic display of SSH banners by setting LogLevel QUIET / using ssh -q, and configuring tooling to filter or escape the Kitty graphics-protocol introducer (ESC _G ... ESC \) before content reaches the terminal; the trade-off is loss of legitimate inline-image features (icat, image previews in file managers, terminal-rendered plots) until patched.

More in Kitty

View all
CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2016-2563 CRITICAL POC
9.8 Apr 07

Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows r

CVE-2020-35605 CRITICAL POC
9.8 Dec 21

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code bec

CVE-2024-23749 HIGH POC
7.8 Feb 09

KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insuffic

CVE-2024-25004 HIGH POC
7.8 Feb 09

KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the username, occurs due to insuf

CVE-2024-25003 HIGH POC
7.8 Feb 09

KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the hostname, occurs due to insuf

CVE-2022-41322 HIGH POC
7.8 Sep 23

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code e

CVE-2025-43929 MEDIUM POC
4.1 Apr 20

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that ma

CVE-2026-42851 HIGH
7.8 Jun 12

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can wri

CVE-2026-33633 HIGH
7.5 May 19

Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's stan

CVE-2026-42850 HIGH
7.4 Jun 12

Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to exec

CVE-2026-54057 HIGH
7.3 Jun 12

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline

Share

CVE-2026-33642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy