Description
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
Published: 2026-05-19
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the bounds validation of composition offsets within kitty’s graphics compositing routine. This overflow allows an attacker to craft escape sequences that pass the bounds check after wrapping, resulting in large out‑of‑bounds heap reads or writes in compose_rectangles(). The memory corruption can enable data exfiltration, corruption of other processes, or remote code execution if an attacker can target specific memory locations in the same process space.

Affected Systems

Vendor kovidgoyal:kitty. Versions 0.46.2 and earlier of the kitty terminal are affected. The issue affects all supported platforms (Windows, macOS, Linux) since kitty is cross‑platform. No special configuration is required for the flaw to be exploitable.

Risk and Exploitability

The CVSS score of 9.9 classifies this as critical. The EPSS score is unavailable, but the automated nature of the danger and the lack of user interaction suggest a non‑negligible risk of exploitation. The flaw is not listed in CISA’s KEV catalog. An attacker can inject malicious escape sequences from any source that the terminal accepts, such as a malicious file, an SSH banner, or piped input, and can achieve the overflow without user action, making the threat realistic for unattended or remote sessions.

Generated by OpenCVE AI on May 19, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to kitty 0.47.0 or newer, which contains a guard against the integer overflow.
  • If immediate upgrade is not feasible, restrict or filter escape sequence input in the terminal session to prevent crafted offsets from reaching kitty’s compositor.
  • Avoid launching kitty in contexts where untrusted data can be sent to it; for example, run kitty in a secure environment or replace it with a non‑GPU terminal when processing untrusted data streams.

Generated by OpenCVE AI on May 19, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal kitty
Vendors & Products Kovidgoyal
Kovidgoyal kitty

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
Title Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check
Weaknesses CWE-125
CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H'}

Subscriptions

Kovidgoyal Kitty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T19:13:23.671Z

Reserved: 2026-03-23T14:24:11.620Z

Link: CVE-2026-33642

cve-icon Vulnrichment

Updated: 2026-05-19T19:13:06.368Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T19:16:49.293

Modified: 2026-05-19T21:08:41.030

Link: CVE-2026-33642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:00:11Z

Weaknesses