CVE-2026-33642
Heap Buffer Over-Read/Write in Kitty Terminal
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kovidgoyal | kitty | to 0.46.2 (inc) |
| kovidgoyal | kitty | 0.46.3 |
| kovidgoyal | kitty | 0.47.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the kitty terminal emulator involves a heap buffer over-read and write caused by an integer overflow in the bounds checking of composition offsets. Specifically, the function handle_compose_command() uses unsigned 32-bit arithmetic to validate offsets, which can wrap around due to integer overflow. This allows an attacker to supply crafted x_offset and y_offset values that appear valid after wrapping but actually cause out-of-bounds heap memory access in the compose_rectangles() function.
Because of this flaw, an attacker who can write escape sequences to a kitty terminal (for example, through a malicious file, SSH login banner, or piped content) can trigger heap corruption without any user interaction or special configuration. This can lead to crashes or potentially arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a denial of service through crashes (such as SIGSEGV or SIGBUS) in the kitty terminal emulator. More seriously, it may enable arbitrary code execution, which could compromise the security of your system.
The attacker only needs the ability to produce output in a kitty terminal window, which can be done via malicious files, SSH login banners, or piped content. No user interaction or special configuration is required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the kitty terminal emulator version in use is 0.46.2 or below, as these versions contain the vulnerable code in the handle_compose_command() function.
Since the vulnerability is triggered by crafted escape sequences containing malicious x_offset and y_offset values, detection involves monitoring for unusual or suspicious escape sequences sent to kitty terminals.
There are no specific commands provided in the resources to detect the vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the kitty terminal emulator to version 0.47.0 or later, where the vulnerability has been fixed.
Avoid opening untrusted or malicious files, SSH login banners, or piped content that could contain crafted escape sequences targeting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-33642 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.