7.5 CVE-2026-33633

Enriched by CISA Patch Exploit
 

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-33633

Categories

CWE-122 : Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Use tools that are integrated duringcompilation to insert runtime error-checking mechanismsrelated to memory safety errors, such as AddressSanitizer(ASan) for C/C++ [REF-1518]. Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Implement and perform bounds checking on input. Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary. Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth. Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122) Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122) Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). Chain: machine-learning product can have a heap-basedbuffer overflow (CWE-122) when some integer-oriented bounds arecalculated by using ceiling() and floor() on floating point values(CWE-1339) Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).

References


 

AFFECTED (from MITRE)

Vendor Product Versions
kovidgoyal kitty
  • < 0.47.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:a:kovidgoyal:kitty:*:*:*:*:*:*:*:* < 0.47.0

REMEDIATION

Patch

Url
https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c97...

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
92 Forced Integer Overflow
High