CVE-2026-33633
Description
Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in kitty terminal's graphics protocol handler allows any process writing to stdin to crash the terminal and potentially achieve RCE.
Vulnerability
A heap buffer overflow exists in load_image_data() in kitty/kitty/graphics.c. When a PNG image transfer (f=100) is initiated, initialize_load_data() allocates a buffer of size data_sz + 10. If the incoming payload exceeds this, load_image_data() doubles the buffer capacity once but then calls memcpy without verifying the doubled capacity is sufficient, leading to a heap buffer overflow. Affected versions are 0.46.2 and below [1].
Exploitation
An attacker needs only the ability to write to the terminal's stdin (e.g., via a malicious process or remote input). They send a single APC graphics protocol command with f=100 (PNG format) and a payload larger than twice the initial buffer capacity. The overflow is attacker-controlled in both length and content [1].
Impact
The overflow causes immediate denial of service (crash). The advisory notes that the attacker-controlled content could potentially lead to remote code execution (RCE) with the privileges of the terminal process. CVSS for DoS is 6.5, for RCE is 8.3 [1].
Mitigation
Fixed in version 0.47.0. Users should upgrade to 0.47.0 or later. No workaround is mentioned [1]. A related commit [2] addresses offset handling but the primary fix is in the 0.47.0 release.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.46.2
Patches
1e9661f0f3afbGraphics protocol: Fix crash when handling invalid offset values in graphics compose commands
2 files changed · +6 −3
docs/changelog.rst+2 −0 modified@@ -172,6 +172,8 @@ Detailed list of changes - Graphics protocol: Fix crash when handling invalid PNG image with direct transmission +- Graphics protocol: Fix crash when handling invalid offset values in graphics compose commands + - X11: Fix a regression in the previous release that caused an occasional crash on input device removal (:iss:`9723`) 0.46.2 [2026-03-21]
kitty/graphics.c+4 −3 modified@@ -1827,9 +1827,10 @@ handle_compose_command(GraphicsManager *self, bool *is_dirty, const GraphicsComm set_command_failed_response("ENOENT", "No destination frame number %u exists in image id: %u\n", g->other_frame_number, img->client_id); return; } - const unsigned int width = g->width ? g->width : img->width; - const unsigned int height = g->height ? g->height : img->height; - const unsigned int dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset; + // Use uint64_t to avoid overflow when testing for validity. All dimensions are 32bit numbers. + const uint64_t width = g->width ? g->width : img->width; + const uint64_t height = g->height ? g->height : img->height; + const uint64_t dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset; if (dest_x + width > img->width || dest_y + height > img->height) { set_command_failed_response("EINVAL", "The destination rectangle is out of bounds"); return;
Vulnerability mechanics
Root cause
"Heap buffer overflow in load_image_data() when an APC graphics command with PNG format (f=100) carries a payload exceeding twice the initial buffer capacity, allowing attacker-controlled length and content to overflow the heap buffer."
Attack vector
An attacker who can write to the terminal's stdin sends a crafted APC (Application Program Command) escape sequence with a PNG format declaration (f=100). The payload size exceeds twice the initial buffer capacity allocated by load_image_data(), causing a heap buffer overflow. The overflow content and length are attacker-controlled, leading to immediate denial of service and potentially arbitrary code execution. The CVSS vector indicates network-based exploitation with high attack complexity, requiring user interaction (e.g., viewing attacker-controlled output).
Affected code
The heap buffer overflow occurs in the load_image_data() function within kitty's graphics protocol handling code. The advisory does not specify the exact file path, but the graphics protocol parsing logic resides in the kitty source tree. The patch [patch_id=626085] modifies kitty/graphics.c, which is part of the same graphics subsystem.
What the fix does
The patch [patch_id=626085] addresses a separate but related issue in handle_compose_command() by promoting width, height, and offset variables from unsigned int to uint64_t. This prevents integer overflow when computing dest_x + width and dest_y + height, which previously could bypass the out-of-bounds check and cause a crash. The changelog also notes a fix for a crash when handling invalid PNG images with direct transmission, which corresponds to the heap buffer overflow in load_image_data().
Preconditions
- inputAttacker must be able to write arbitrary data to the terminal's stdin (e.g., via a local process, or by tricking a user into viewing attacker-controlled terminal output).
- networkIf remote, attacker must deliver the malicious APC sequence through a network service whose output is displayed in the terminal (user interaction required).
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.