CVE-2026-33642 is a critical memory-safety issue in kitty’s graphics composition handling. According to the published advisory and NVD record, crafted escape sequences can cause integer wrapping in bounds validation, allowing out-of-bounds heap memory access in affected versions (0.46.2 and below). The issue is fixed in kitty 0.47.0.
CVE-2026-33633 is a heap buffer overflow in kitty’s load_image_data() path for APC graphics handling. A single crafted APC graphics protocol command with a PNG declaration (f=100) and an oversized payload can crash kitty, and the memory corruption raises concern for broader impact beyond denial of service. The issue is fixed in kitty 0.47.0.
