CVE-2026-33633: CWE-122: Heap-based Buffer Overflow in kovidgoyal kitty
Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
AI Analysis
Technical Summary
CVE-2026-33633 is a heap buffer overflow vulnerability (CWE-122) in the kitty terminal emulator maintained by kovidgoyal. The vulnerability exists in the load_image_data() function, triggered by an APC graphics protocol command with a PNG format (f=100) whose payload length exceeds twice the initial buffer capacity. Both the length and content of the overflow are attacker-controlled, allowing denial of service and possible remote code execution. This affects kitty versions prior to 0.47.0. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring user interaction with high attack complexity.
Potential Impact
Exploitation allows any process that can write to kitty's stdin to cause an immediate crash, resulting in denial of service. Due to attacker control over the overflow length and content, there is potential for escalation to remote code execution. The vulnerability impacts confidentiality, integrity, and availability of the affected system running vulnerable kitty versions.
Mitigation Recommendations
Upgrade kitty to version 0.47.0 or later, where this heap buffer overflow vulnerability has been fixed. Since this is a client-side application and not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified.
CVE-2026-33633: CWE-122: Heap-based Buffer Overflow in kovidgoyal kitty
Description
Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33633 is a heap buffer overflow vulnerability (CWE-122) in the kitty terminal emulator maintained by kovidgoyal. The vulnerability exists in the load_image_data() function, triggered by an APC graphics protocol command with a PNG format (f=100) whose payload length exceeds twice the initial buffer capacity. Both the length and content of the overflow are attacker-controlled, allowing denial of service and possible remote code execution. This affects kitty versions prior to 0.47.0. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring user interaction with high attack complexity.
Potential Impact
Exploitation allows any process that can write to kitty's stdin to cause an immediate crash, resulting in denial of service. Due to attacker control over the overflow length and content, there is potential for escalation to remote code execution. The vulnerability impacts confidentiality, integrity, and availability of the affected system running vulnerable kitty versions.
Mitigation Recommendations
Upgrade kitty to version 0.47.0 or later, where this heap buffer overflow vulnerability has been fixed. Since this is a client-side application and not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.618Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0ca2183cb6383434df161b
Added to database: 5/19/2026, 5:47:04 PM
Last enriched: 5/19/2026, 5:47:18 PM
Last updated: 5/19/2026, 7:01:54 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.