CVE-2026-33633

NameCVE-2026-33633
DescriptionKitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137210

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kitty (PTS)bullseye0.19.3-1fixed
bullseye (security)0.19.3-1+deb11u1fixed
bookworm0.26.5-5vulnerable
trixie0.41.1-2vulnerable
forky0.46.2-1vulnerable
sid0.47.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kittysourcebullseye(not affected)
kittysource(unstable)0.47.0-11137210

Notes

[bullseye] - kitty <not-affected> (frame composition introduced later)
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
Fixed by: https://github.com/kovidgoyal/kitty/commit/48ab623f594d60dbbfb1e767d9686d380ce547fb (v0.47.0)
Search for package or bug name: Reporting problems