CVE-2026-33642

Description

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

CVSS v3.1 Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

EPSS — Exploit Prediction

0.0006

Probability of exploitation

0.19%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-125 Out-of-bounds Read

CWE-190 Integer Overflow

CWE-787 Out-of-bounds Write

References

Other References

https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34 https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x

Frequently Asked Questions

What is CVE-2026-33642? +

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0. It has a CVSS v3.1 base score of 9.9 (CRITICAL).

How severe is CVE-2026-33642? +

CVE-2026-33642 has a CVSS v3.1 score of 9.9 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0006, placing it in the 0th percentile for exploitation probability.

How do I check if I'm vulnerable to CVE-2026-33642? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-29013

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() …

CVE-2026-3508

An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system …

CVE-2025-48520

An improper input validation vulnerability within the AMD Platform Management Framework (PMF) driver can allow a local attacker to read …

CVE-2025-4098

Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to …

CVE-2025-49849

An Out-of-bounds Read vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation …

CVE-2025-52938

Out-of-bounds Read vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects NotepadNext: …