Heap Buffer Overflow in Kitty Terminal Affects Multiple Users
CVE-2026-33633

7.5HIGH

Key Information:

Vendor: Kovidgoyal
Status: Kitty
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-33633?

Kitty, a cross-platform GPU based terminal, is affected by a heap buffer overflow in its load_image_data() function. This flaw allows any process that can write to the terminal's stdin to cause an immediate crash by issuing a single APC graphics protocol command. This vulnerability, triggered by a PNG format payload that exceeds the initial buffer capacity, can lead to denial of service (DoS) and may pose risks of remote code execution (RCE). Users are urged to upgrade to version 0.47.0 or later, where this issue has been addressed.

Affected Version(s)

kitty < 0.47.0

References

https://github.com/kovidgoyal/kitty/security/advisories/G...

x_refsource_CONFIRM

https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33633 Data

JSON

Kovidgoyal

What is CVE-2026-33633?

Affected Version(s)

References

CVSS V3.1

Timeline