Kitty, a cross‑platform GPU‑based terminal, contains a heap buffer overflow in its graphics protocol handler. The flaw resides in the load_image_data() function that processes APC graphics commands and allocates an initial buffer for PNG image data. A single command containing a PNG format declaration with the flag f=100 and a payload larger than twice the allocated buffer overflows the heap. The attacker can control both the length and content of the overflow, causing the kitty process to crash and providing an entry to potentially execute arbitrary code. Based on the description it is inferred that the overflow could be leveraged to run code within the kitty process, which may further lead to remote code execution if the attacker can inject additional malicious data after the crash.

All releases of kovidgoyal:kitty version 0.46.2 and earlier are affected. The vulnerability does not specify particular operating systems; the application runs on Linux, macOS and Windows. Any environment where a process can write to the terminal’s standard input is susceptible, because the overflow is triggered by input sent through stdin.

The CVSS score of 7.5 indicates high severity. No EPSS score is available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local or shared terminal scenario where an unprivileged user can inject data through stdin. The immediate effect is denial of service via a crash, and the overflow also creates a potential avenue for code execution as implied by the description.