High severity7.8NVD Advisory· Published Jun 12, 2026

CVE-2026-42851

Description

Kitty terminals prior to 0.47.0 can be remotely exploited to execute arbitrary Python code when a victim views attacker-controlled bytes via the @kitty-edit DCS sequence and the --color=geninclude config directive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vulnerability

Kitty terminal emulator versions prior to 0.47.0 contain a remote code execution vulnerability. A program capable of writing arbitrary bytes to a kitty terminal can trigger the private DCS sequence DCS @kitty-edit| ... ST, which is dispatched to Window.handle_remote_edit. This sequence is processed without any authentication or permission prompt. The @kitty-edit handler passes user-supplied arguments to parse_opts_for_clone, which admits the --color option. Color specifications containing = are re-parsed as inline kitty configuration, and the kitty config language honours the geninclude directive. geninclude calls runpy.run_path() for .py paths, executing attacker-supplied Python code directly inside the kitty process [1].

Exploitation

An attacker needs only the ability to write arbitrary bytes to a victim's kitty terminal. This can be achieved via a remote SSH peer printing output, a downloaded file viewed with cat, a log line displayed in tail -f, an email body viewed in less, or any similar scenario where attacker-controlled text reaches a kitty terminal. The victim must view the attacker-controlled bytes; no further interaction such as clicking, pasting, or approving a prompt is required. The vulnerability chain is: attacker sends DCS @kitty-edit|--color=geninclude:path/to/malicious.py ST, the parser dispatches to the edit helper protocol, which interprets the --color option, re-parses the color spec as config, the config includes geninclude with a path to an attacker-controlled Python file, and kitty executes that file [1].

Impact

Successful exploitation allows the attacker to execute arbitrary Python code within the running kitty process with the full privileges of the victim user. This can lead to complete compromise of the user's system, including data theft, installation of malware, or further lateral movement. The CIA triad is fully impacted: confidentiality (information disclosure), integrity (arbitrary file modification), and availability (potential system disruption). The attacker gains the user's privilege level, not just terminal access [1].

Mitigation

Kitty version 0.47.0 fixes this issue, as announced on the publication date (2026-06-12). Users should upgrade to 0.47.0 or later immediately. No workarounds are mentioned in the available references; the existing in-tree mitigation that strips c.opts.env/c.opts.copy_env in remote_edit() does not prevent this attack. If upgrading is not possible, users should avoid viewing untrusted content (e.g., SSH output, downloaded files, logs) in kitty, but this is not a practical security boundary [1].

References

Unauthenticated in-process RCE via @kitty-edit DCS + --color=geninclude

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Kovidgoyal/Kittyinferred
Range: <0.47.0
Kitty/kittyllm-create
Range: <0.47.0

Patches

eadec09d499b

version 0.47.0

https://github.com/kovidgoyal/kittyKovid GoyalMay 19, 2026Fixed in 0.47.0via release-tag

commit

2 files changed · +2 −2

docs/changelog.rst+1 −1 modified

@@ -173,7 +173,7 @@ consumption to do the same tasks.
 Detailed list of changes
 -------------------------------------
 
-0.47.0 [future]
+0.47.0 [2026-05-19]
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - A new :doc:`Drag and drop kitten </kittens/dnd>` to allow drag and drop of files from your shell to any GUI program even across SSH (:iss:`9984`)

kitty/constants.py+1 −1 modified

@@ -22,7 +22,7 @@ class Version(NamedTuple):
 
 appname: str = 'kitty'
 kitty_face = '🐱'
-version: Version = Version(0, 46, 2)
+version: Version = Version(0, 47, 0)
 str_version: str = '.'.join(map(str, version))
 _plat = sys.platform.lower()
 is_macos: bool = 'darwin' in _plat

Vulnerability mechanics

Root cause

"The `parse_opts_for_clone` filter in `kitty/launch.py` passes the `--color` option through to `apply_colors`, which re-parses color specs containing `=` as inline kitty config, enabling the `geninclude` directive to execute `runpy.run_path()` on attacker-supplied Python files."

Attack vector

An attacker who can write arbitrary bytes to a kitty terminal — for example a malicious SSH peer, a file viewed with `cat` or `less -R`, or log output piped through a pager — can inject the private DCS sequence `DCS @kitty-edit| ... ST`. This sequence is parsed by kitty's vt-parser without any authorization check [ref_id=1]. The embedded arguments flow through `parse_opts_for_clone`, which does not filter the `--color` option. The `--color=geninclude=<path>` value is re-parsed as inline kitty config, and the `geninclude` directive for `.py` paths calls `runpy.run_path()` in the kitty process [ref_id=1], executing attacker-supplied Python with the user's full privileges. No remote-control permission, approval prompt, or shell interaction is required [CWE-94, CWE-862].

Affected code

Multiple files in the kitty codebase are involved. The vulnerability chain begins in `kitty/vt-parser.c` (unauthenticated DCS dispatch), proceeds through `kitty/window.py` (`handle_remote_edit`), `kitty/launch.py` (`parse_opts_for_clone` and `remote_edit`), `kitty/colors.py` (`parse_colors`), and ends in `kitty/conf/utils.py` (`geninclude`/`pygeninclude`). The patch shown only bumps the version number to 0.47.0; the advisory [ref_id=1] describes the code paths but the fix is not included in this diff.

What the fix does

The included patch only increments the version string from 0.46.2 to 0.47.0 and updates the changelog date [patch_id=5749256]; it does not contain any code-level fix. The advisory [ref_id=1] and suggested fix (not included in this diff) propose stripping `color` from the options in `remote_edit()`, mirroring the existing mitigation that strips `env`/`copy_env`. Without that change, `--color=geninclude=<path>` is preserved through parsing and triggers arbitrary Python execution.

Preconditions

inputAttacker must be able to write bytes to the victim's kitty terminal (e.g., malicious SSH peer output, file contents displayed via cat/less, log output)
authVictim must view the attacker-controlled bytes through kitty terminal (user interaction required only to the extent of viewing output)

Reproduction

A self-hosting PoC is documented in the advisory [ref_id=1]. The generator script `gen.py` produces a single `poc.py` file that is simultaneously a valid Python module containing the payload and a terminal byte stream embedding `DCS @kitty-edit|...--color=geninclude=<path>...`. Running `cat poc.py` inside an affected kitty window delivers the DCS to the vt-parser and provides the `.py` file that `geninclude` runs via `runpy.run_path()`. The default payload writes a marker file at `/tmp/kitty-color-rce-poc-marker` containing the kitty process PID.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/kovidgoyal/kitty/security/advisories/GHSA-w98g-hpvr-r332nvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000