CVE-2026-33633

Name of the Vulnerable Software and Affected Versions Kitty versions prior to 0.47.0

Description A heap buffer overflow exists in the load image data() function. This occurs when a process writes to the terminal's stdin using a single APC graphics protocol command with a PNG format declaration (f=100) where the payload exceeds twice the initial buffer capacity. An attacker can control both the length and content of the overflow, which can lead to an immediate crash (Denial of Service) or potentially result in Remote Code Execution (RCE), where an attacker executes arbitrary code on the target machine.

Recommendations Update to version 0.47.0.