CVE-2026-33642 kovidgoyal CVE debrief

Who should care

Anyone running kitty, especially users and administrators who may display untrusted terminal output such as files, SSH login banners, piped content, or other remote-provided text. Security teams managing endpoints or developer workstations with kitty installed should prioritize review and upgrading.

Technical summary

The vulnerability is described as an integer-wrapping bug in handle_compose_command() within kitty/graphics.c. Bounds checks on composition offsets use unsigned 32-bit arithmetic, so attacker-controlled x_offset/y_offset values can wrap and pass validation incorrectly. That can lead to large out-of-bounds heap reads and writes in compose_rectangles(). The NVD record lists CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H and weaknesses CWE-125, CWE-190, and CWE-787.

Defensive priority

Critical. This is a remotely reachable, no-user-interaction memory corruption flaw affecting a terminal emulator that may process untrusted output. Upgrade immediately if you run an affected version.

Recommended defensive actions

• Upgrade kitty to version 0.47.0 or later as soon as possible.
• Inventory systems that use kitty and confirm installed package versions.
• Treat any untrusted terminal output as risky until patching is complete, including SSH banners, remote command output, and piped content.
• After upgrading, verify that endpoints and developer machines are no longer on 0.46.2 or earlier.
• Track the vendor advisory and related commit for any follow-up guidance.

Evidence notes

This debrief is based on the supplied NVD record published 2026-05-19 and the linked GitHub security advisory and commit. The source metadata states the vulnerability affects kitty versions 0.46.2 and below and is fixed in 0.47.0. NVD lists CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H and the relevant weakness tags CWE-125, CWE-190, and CWE-787.

Official resources