CVE-2026-42850
Received Received - Intake
Command Injection in Kitty Terminal

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-42850
EUVD
EUVD-2026-36553
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kitty kitty to 0.47.0 (exc)
kitty kitty to 0.4.7 (inc)
kovidgoyal kitty to 0.47.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42850 is a high-severity shell command injection vulnerability in the kitty terminal emulator versions prior to 0.47.0.

The flaw allows an attacker to execute arbitrary commands on a victim's system by exploiting an error in kitty's handling of a special escape code. This escape code triggers an error that is not properly escaped and is echoed back to the terminal, causing the shell to run the injected commands.

To exploit this vulnerability, the victim must connect to the attacker using netcat or a similar program, or the attacker must listen for an incoming connection. Once connected, the attacker can run commands on the victim's system through the specially crafted kitty escape code.

This issue was fixed in kitty version 0.47.0.

Impact Analysis

This vulnerability can allow an attacker to gain control over your computer by executing arbitrary shell commands remotely.

The attacker can compromise the confidentiality and integrity of your system by running malicious commands once a connection is established.

However, the attack requires the victim to initiate a connection to the attacker, and it involves high attack complexity and active user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious usage of netcat or similar programs that connect to external hosts, as exploitation requires the victim to initiate such a connection.

Additionally, detection can focus on identifying the presence of the special kitty escape code '\x1bP@kitty-ssh|...' in terminal input or logs, which triggers the vulnerability.

Commands to help detect potential exploitation attempts might include:

  • Using network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze outgoing connections initiated by netcat or similar tools.
  • Searching shell history or terminal logs for the escape sequence '\x1bP@kitty-ssh|...' or unusual error messages related to kitty.
  • Example command to search for the escape code in logs: grep -a $'\x1bP@kitty-ssh|' /path/to/terminal/logs
Mitigation Strategies

The immediate mitigation step is to upgrade the kitty terminal emulator to version 0.47.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, avoid using netcat or similar programs to connect to untrusted hosts through kitty, as the exploit requires such a connection.

Additionally, restrict or monitor network connections initiated from systems running vulnerable versions of kitty to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary commands on a victim's system, potentially compromising confidentiality and integrity of data.

Such unauthorized command execution could lead to unauthorized access to sensitive personal or health information, which may result in non-compliance with regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.

However, the exploit requires the victim to initiate a network connection to the attacker, which may limit the risk in some environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart