Source: kitty Version: 0.46.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for kitty. CVE-2026-33633[0]: | Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and | below contain a heap buffer overflow in load_image_data() that | allows any process which can write to the terminal's stdin to crash | kitty immediately. The vulnerability is triggered by a single APC | graphics protocol command with a PNG format declaration (f=100) | whose payload exceeds twice the initial buffer capacity. The | overflow is attacker-controlled in both length and content, causing | DoS and potentially escalation to RCE itself. This issue has been | fixed in version 0.47.0. CVE-2026-33642[1]: | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and | below, the handle_compose_command() function in kitty/graphics.c | performs bounds validation on composition offsets using unsigned | 32-bit arithmetic that is subject to integer wrapping, potentially | leading to Heap Buffer Over-Read/Write. An attacker who can write | escape sequences to a kitty terminal (e.g., via a malicious file, | SSH login banner, or piped content) can supply crafted | x_offset/y_offset values that pass the bounds check after wrapping | but cause massive out-of-bounds heap memory access in | compose_rectangles(). No user interaction is required. No non- | default configuration is required. The attacker only needs the | ability to produce output in a kitty terminal window. This issue has | been fixed in version 0.47.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33633 https://www.cve.org/CVERecord?id=CVE-2026-33633 https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g [1] https://security-tracker.debian.org/tracker/CVE-2026-33642 https://www.cve.org/CVERecord?id=CVE-2026-33642 https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x Please adjust the affected versions in the BTS as needed. Regards, Salvatore
