Kitty Terminal Heap Buffer Overflow (CVE-2026-33633) — DoS, RCE Risk
The National Vulnerability Database reports a critical heap buffer overflow (CVE-2026-33633) in Kitty, a popular cross-platform GPU-based terminal. This vulnerability, affecting versions 0.46.2 and below, resides within the load_image_data() function. It allows any process capable of writing to the terminal’s stdin to trigger an immediate crash, leading to a denial-of-service.
The attack vector is an APC graphics protocol command with a PNG format declaration (f=100) where the payload exceeds twice the initial buffer capacity. The National Vulnerability Database highlights that the overflow’s length and content are attacker-controlled, escalating the risk beyond mere DoS to potential remote code execution (RCE). The CVSS score for this vulnerability is 7.5 (High).
This is a serious issue for organizations utilizing Kitty. An attacker with even limited access to a system could leverage this to disrupt operations or gain further control. The fix has been implemented in version 0.47.0. Defenders must prioritize patching to mitigate this immediate threat.
What This Means For You
- If your organization uses Kitty terminal, you need to immediately identify all instances running versions 0.46.2 or below. Prioritize upgrading to version 0.47.0 to patch CVE-2026-33633 and prevent potential DoS and RCE attacks. This isn't theoretical; a single crafted command can crash the terminal and potentially open the door to deeper compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Kitty Terminal Heap Buffer Overflow DoS (CVE-2026-33633)
title: Kitty Terminal Heap Buffer Overflow DoS (CVE-2026-33633)
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
Detects the execution of the Kitty terminal with a command line argument indicating the specific graphics protocol command (f=100) used to trigger the heap buffer overflow vulnerability (CVE-2026-33633). This is a direct indicator of an attempt to exploit the vulnerability for Denial of Service or potential Remote Code Execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33633/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'kitty.exe'
CommandLine|contains:
- 'f=100'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33633 | Buffer Overflow | Kitty terminal versions 0.46.2 and below |
| CVE-2026-33633 | DoS | Heap buffer overflow in load_image_data() triggered by APC graphics protocol command with PNG format (f=100) |
| CVE-2026-33633 | RCE | Heap buffer overflow in load_image_data() with attacker-controlled length and content |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 19, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...