CVE-2026-33642

Name of the Vulnerable Software and Affected Versions Kitty versions prior to 0.47.0

Description An issue exists in the handle compose command() function within kitty/graphics.c where bounds validation on composition offsets uses unsigned 32-bit arithmetic. This process is subject to integer wrapping, which can lead to a Heap Buffer Over-Read/Write. An attacker capable of writing escape sequences to a terminal—such as through a malicious file, SSH login banner, or piped content—can provide crafted x offset and y offset values. These values may pass the bounds check after wrapping, resulting in significant out-of-bounds heap memory access in the compose rectangles() function. This can occur without user interaction or non-default configurations, requiring only the ability to produce output in the terminal window.

Recommendations Update to version 0.47.0.