CVE-2026-33642: CWE-190: Integer Overflow or Wraparound in kovidgoyal kitty
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
AI Analysis
Technical Summary
Kitty terminal versions prior to 0.47.0 contain an integer overflow vulnerability in the handle_compose_command() function within kitty/graphics.c. The function performs bounds validation on composition offsets using unsigned 32-bit arithmetic, which is susceptible to wrapping. An attacker able to write escape sequences to the terminal can supply crafted x_offset and y_offset values that pass the bounds check after wrapping but cause heap buffer over-read or write in compose_rectangles(). This can lead to memory corruption and potentially arbitrary code execution or denial of service. No privileges or user interaction are required beyond the ability to output to the terminal. The issue is resolved in kitty version 0.47.0.
Potential Impact
Successful exploitation can lead to heap buffer over-read or write, resulting in memory corruption. The CVSS score of 9.9 reflects critical impact with potential for confidentiality loss, integrity compromise, and high availability impact. The vulnerability allows remote unauthenticated attackers to cause severe memory corruption by sending crafted escape sequences to a vulnerable kitty terminal, potentially leading to arbitrary code execution or denial of service.
Mitigation Recommendations
This vulnerability has been fixed in kitty version 0.47.0. Users should upgrade to version 0.47.0 or later to remediate this issue. No other mitigations are indicated or required. Patch status is confirmed by the vendor's versioning information.
CVE-2026-33642: CWE-190: Integer Overflow or Wraparound in kovidgoyal kitty
Description
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kitty terminal versions prior to 0.47.0 contain an integer overflow vulnerability in the handle_compose_command() function within kitty/graphics.c. The function performs bounds validation on composition offsets using unsigned 32-bit arithmetic, which is susceptible to wrapping. An attacker able to write escape sequences to the terminal can supply crafted x_offset and y_offset values that pass the bounds check after wrapping but cause heap buffer over-read or write in compose_rectangles(). This can lead to memory corruption and potentially arbitrary code execution or denial of service. No privileges or user interaction are required beyond the ability to output to the terminal. The issue is resolved in kitty version 0.47.0.
Potential Impact
Successful exploitation can lead to heap buffer over-read or write, resulting in memory corruption. The CVSS score of 9.9 reflects critical impact with potential for confidentiality loss, integrity compromise, and high availability impact. The vulnerability allows remote unauthenticated attackers to cause severe memory corruption by sending crafted escape sequences to a vulnerable kitty terminal, potentially leading to arbitrary code execution or denial of service.
Mitigation Recommendations
This vulnerability has been fixed in kitty version 0.47.0. Users should upgrade to version 0.47.0 or later to remediate this issue. No other mitigations are indicated or required. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.620Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cacfeba1db47362c34af4
Added to database: 5/19/2026, 6:33:34 PM
Last enriched: 5/19/2026, 6:48:32 PM
Last updated: 5/19/2026, 8:38:25 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.