Cyber Resilience

CVE-2026-33642

CriticalPublic PoC

Published: 19 May 2026

Published
19 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0029 20.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33642 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Kovidgoyal Kitty. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An…

more

attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Integer wrap in terminal escape sequence handler enables client-side memory corruption leading to RCE via malicious input (file/SSH/piped).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33633Same product: Kovidgoyal Kitty
CVE-2026-43909Shared CWE-125, CWE-190
CVE-2026-9910Shared CWE-125, CWE-787
CVE-2026-5735Shared CWE-125, CWE-787
CVE-2026-42046Shared CWE-190, CWE-787
CVE-2026-6786Shared CWE-125, CWE-787
CVE-2026-6785Shared CWE-125, CWE-787
CVE-2026-21485Shared CWE-125, CWE-190
CVE-2026-21486Shared CWE-190, CWE-787
CVE-2026-25585Shared CWE-125, CWE-787

Affected Assets

kovidgoyal
kitty
≤ 0.47.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References