CVE-2026-33642

NameCVE-2026-33642
DescriptionKitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137210

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kitty (PTS)bullseye0.19.3-1fixed
bullseye (security)0.19.3-1+deb11u1fixed
bookworm0.26.5-5vulnerable
trixie0.41.1-2vulnerable
forky0.46.2-1vulnerable
sid0.47.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kittysourcebullseye(not affected)
kittysource(unstable)0.47.0-11137210

Notes

[bullseye] - kitty <not-affected> (frame composition introduced later)
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x
https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
Introduced by: https://github.com/kovidgoyal/kitty/commit/340159b59141e26f25a20948fde8f9137b2df758 (v0.22.0)
Search for package or bug name: Reporting problems