Cyber Resilience

CVE-2026-33633

HighPublic PoC

Published: 19 May 2026

Published
19 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33633 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Kovidgoyal Kitty. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single…

more

APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in client terminal application enables direct exploitation for code execution via crafted stdin input.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33642Same product: Kovidgoyal Kitty
CVE-2026-40363Shared CWE-122
CVE-2025-59295Shared CWE-122
CVE-2025-21266Shared CWE-122
CVE-2026-25713Shared CWE-122
CVE-2026-5272Shared CWE-122
CVE-2026-8509Shared CWE-122
CVE-2025-21171Shared CWE-122
CVE-2026-23530Shared CWE-122
CVE-2026-23532Shared CWE-122

Affected Assets

kovidgoyal
kitty
≤ 0.47.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References