CVE-2026-33642 Overview
CVE-2026-33642 is a critical vulnerability in the Kitty cross-platform GPU-based terminal emulator. The flaw resides in the handle_compose_command() function in kitty/graphics.c, where bounds validation on composition offsets uses unsigned 32-bit arithmetic susceptible to integer wrapping. Crafted x_offset and y_offset values pass the bounds check after wrapping but trigger out-of-bounds heap access inside compose_rectangles(). The vulnerability affects Kitty versions 0.46.2 and below and was fixed in version 0.47.0. Attackers exploit the flaw by writing escape sequences to a Kitty terminal through malicious files, SSH login banners, or piped content. No user interaction or non-default configuration is required.
Critical Impact
Remote attackers can trigger heap buffer over-read or over-write conditions by producing terminal output, leading to memory corruption or information disclosure without user interaction.
Affected Products
- Kitty terminal versions 0.46.2 and below
- Fixed in Kitty version 0.47.0
- All platforms supported by Kitty (Linux, macOS)
Discovery Timeline
- 2026-05-19 - CVE-2026-33642 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33642
Vulnerability Analysis
The vulnerability stems from improper integer arithmetic during graphics composition handling in Kitty. The handle_compose_command() function validates user-supplied composition offsets using unsigned 32-bit math. When attacker-controlled values produce arithmetic that exceeds the 32-bit boundary, the result wraps around to a small value. The wrapped value passes subsequent bounds checks designed to confirm the offsets fall within allocated image dimensions.
Once validation succeeds, compose_rectangles() performs memory operations using the original, unwrapped offsets. This mismatch produces large out-of-bounds reads or writes against the heap region storing image data. The CWE-125 classification (Out-of-Bounds Read) reflects the primary impact, though the advisory confirms both over-read and over-write conditions are reachable.
Root Cause
The root cause is an integer wrapping flaw in unsigned 32-bit arithmetic used for bounds validation. The validation logic and the consuming code path interpret the offset values inconsistently, allowing values to be sanitized in one path while remaining dangerous in another. This is a classic Time-of-Check to Time-of-Use mismatch driven by arithmetic overflow.
Attack Vector
Attackers deliver crafted Kitty graphics protocol escape sequences to a victim terminal. Common delivery channels include malicious files displayed with cat, SSH login banners, log output piped to the terminal, and content rendered by command-line tools. The attack requires only that the Kitty terminal renders the malicious output. No clicks, prompts, or configuration changes are required on the victim system.
No verified public proof-of-concept code is available. The technical fix is documented in the Kitty GitHub commit and the Kitty Security Advisory GHSA-qfgm-2c64-6x3x.
Detection Methods for CVE-2026-33642
Indicators of Compromise
- Unexpected Kitty terminal crashes, segmentation faults, or abnormal terminations during file display or remote session activity
- Graphics protocol escape sequences (\\x1b_G prefixed payloads) appearing in untrusted files, logs, or SSH banners
- Kitty process generating core dumps shortly after rendering output from untrusted sources
Detection Strategies
- Inspect file content and network streams for Kitty graphics protocol sequences containing unusually large x or y offset parameters
- Monitor endpoint telemetry for Kitty process crashes correlated with shell sessions reading attacker-supplied content
- Audit version inventory of installed Kitty packages to identify hosts running 0.46.2 or earlier
Monitoring Recommendations
- Capture process crash events for kitty binaries and forward to a central log store for correlation
- Track SSH banner content and MOTD modifications on managed servers to detect injection of graphics escape sequences
- Alert on file downloads followed by terminal-related crash signatures in close time proximity
How to Mitigate CVE-2026-33642
Immediate Actions Required
- Upgrade Kitty to version 0.47.0 or later on all affected workstations and servers
- Inventory all systems running Kitty 0.46.2 or below and prioritize developer and administrator endpoints
- Restrict rendering of untrusted files and remote banners until patching is complete
Patch Information
The maintainer fixed the issue in Kitty version 0.47.0. The corrected arithmetic and bounds handling are documented in the upstream commit e9661f0. Distribution package maintainers should backport the fix or ship the upstream 0.47.0 release.
Workarounds
- Pipe untrusted output through cat -v or less configured to strip escape sequences before displaying in Kitty
- Disable graphics protocol rendering where feasible by avoiding cat of untrusted binary files in Kitty windows
- Configure SSH servers to sanitize or remove banner content sourced from user-writable locations
# Verify installed Kitty version and upgrade
kitty --version
# Example upgrade paths
# Arch Linux
sudo pacman -Syu kitty
# Homebrew (macOS)
brew upgrade kitty
# Manual install via official installer
curl -L https://sw.kovidgoyal.net/kitty/installer.sh | sh /dev/stdin
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
