VYPR
← All advisories
Critical severity9.9NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-33642

CVE-2026-33642

Description

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in kitty terminal's compose rectangle bounds check allows heap buffer over-read/write via crafted escape sequences, fixed in 0.47.0.

Vulnerability

The kitty terminal emulator prior to version 0.47.0 contains an integer overflow vulnerability in the handle_compose_command() function in kitty/graphics.c[1]. The bounds check for composition offsets uses unsigned 32-bit arithmetic. An attacker who can write terminal escape sequences to a kitty terminal can supply crafted x_offset/y_offset values that, when added to width or height, wrap around to a small value, bypassing the bounds check and leading to a heap buffer over-read or over-write in compose_rectangles(). Versions 0.46.2 and below are affected.

Exploitation

An attacker requires the ability to produce output in a kitty terminal window. This can be achieved via a malicious file, an SSH login banner, piped content, or any other source of escape sequences. No user interaction beyond having the terminal render the output is required, and no non-default configuration is needed. The attacker sends a graphics composition command with offsets such that the sum wraps (e.g., dest_x = 0xFFFFFFE0, width = 48, sum = 16, which passes the > img->width check). The unchecked large offset is then used directly in pointer arithmetic in compose_rectangles(), causing massive out-of-bounds heap access.

Impact

Successful exploitation allows an attacker to perform a heap buffer over-read or over-write. This can lead to information disclosure (reading adjacent heap memory) or memory corruption, potentially resulting in arbitrary code execution within the context of the terminal process. The CVSS v3 score of 9.9 (Critical) reflects the low attack complexity, no required privileges, no user interaction, and high impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability has been fixed in kitty version 0.47.0 by changing the arithmetic in the bounds check to use uint64_t instead of unsigned int, preventing integer wrapping[2]. Users should upgrade to kitty 0.47.0 or later. There is no known workaround for the affected versions. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication date.

References
  1. Heap Buffer Over-Read/Write via Integer Overflow in `compose_rectangles` Bounds Check
  2. Graphics protocol: Fix crash when handling invalid offset values in g… · kovidgoyal/kitty@e9661f0

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
e9661f0f3afb

Graphics protocol: Fix crash when handling invalid offset values in graphics compose commands

https://github.com/kovidgoyal/kittyKovid GoyalMar 22, 2026via nvd-ref
commit
2 files changed · +6 3
  • docs/changelog.rst+2 0 modified
    @@ -172,6 +172,8 @@ Detailed list of changes
 
 - Graphics protocol: Fix crash when handling invalid PNG image with direct transmission
 
+- Graphics protocol: Fix crash when handling invalid offset values in graphics compose commands
+
 - X11: Fix a regression in the previous release that caused an occasional crash on input device removal (:iss:`9723`)
 
 0.46.2 [2026-03-21]
  • kitty/graphics.c+4 3 modified
    @@ -1827,9 +1827,10 @@ handle_compose_command(GraphicsManager *self, bool *is_dirty, const GraphicsComm
         set_command_failed_response("ENOENT", "No destination frame number %u exists in image id: %u\n", g->other_frame_number, img->client_id);
         return;
     }
-    const unsigned int width = g->width ? g->width : img->width;
-    const unsigned int height = g->height ? g->height : img->height;
-    const unsigned int dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset;
+    // Use uint64_t to avoid overflow when testing for validity. All dimensions are 32bit numbers.
+    const uint64_t width = g->width ? g->width : img->width;
+    const uint64_t height = g->height ? g->height : img->height;
+    const uint64_t dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset;
     if (dest_x + width > img->width || dest_y + height > img->height) {
         set_command_failed_response("EINVAL", "The destination rectangle is out of bounds");
         return;

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

2

News mentions

0

No linked articles in our index yet.