CVE-2026-33633 kovidgoyal CVE debrief

Who should care

Anyone running kitty 0.46.2 or earlier should pay attention, especially if the terminal can receive input from untrusted or semi-trusted processes that write to stdin. Systems that embed kitty in workflows with automated input, scripts, or remote content delivery should prioritize review and upgrade.

Technical summary

According to the supplied record and GitHub advisory references, the flaw is a heap-based buffer overflow in load_image_data() when processing APC graphics data. The trigger is a single APC graphics command declaring PNG format (f=100) whose payload exceeds twice the initial buffer capacity, allowing attacker-controlled length and content to overflow the heap buffer. NVD maps the issue to CWE-122 and lists CVSS v3.1 7.5 HIGH (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Defensive priority

High. The bug can produce immediate process crashes and involves memory corruption in a terminal emulator, so upgrade planning should be prompt even though exploitation requires a crafted input path.

Recommended defensive actions

• Upgrade kitty to version 0.47.0 or later as soon as practical.
• Treat any environment where untrusted processes can write to kitty's stdin as higher risk until patched.
• Review automation, plugins, scripts, and remote workflows that can inject APC graphics data into terminal input streams.
• If upgrade must be delayed, reduce exposure to untrusted terminal input and monitor for unexpected kitty crashes.

Evidence notes

The CVE/NVD record for 2026-05-19 identifies the issue as CVE-2026-33633 and references GitHub Security Advisory GHSA-j68c-v8x4-269g plus commit e9661f0f3afb4e4dbffa509adfb3df3c9780ad34. The supplied metadata lists kitty versions 0.46.2 and below as affected and states the fix landed in 0.47.0. NVD lists CWE-122 and CVSS v3.1 7.5 HIGH with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. No KEV listing is present in the supplied corpus.

Official resources