CVE-2026-33633

NameCVE-2026-33633
DescriptionKitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6307-1
Debian Bugs1137210

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kitty (PTS)bullseye0.19.3-1vulnerable
bullseye (security)0.19.3-1+deb11u1vulnerable
bookworm0.26.5-5vulnerable
trixie0.41.1-2vulnerable
trixie (security)0.41.1-2+deb13u1fixed
forky, sid0.47.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kittysourcetrixie0.41.1-2+deb13u1DSA-6307-1
kittysource(unstable)0.47.0-11137210

Notes

https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
Fixed by: https://github.com/kovidgoyal/kitty/commit/48ab623f594d60dbbfb1e767d9686d380ce547fb (v0.47.0)
Search for package or bug name: Reporting problems