Kitty Terminal Heap Over-Read/Write Vulnerability (CVE-2026-33642) Critical Severity

/CRITICAL /CVSS 9.9/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-125cwe-190cwe-787
Kitty Terminal Heap Over-Read/Write Vulnerability (CVE-2026-33642) Critical Severity

The National Vulnerability Database has disclosed CVE-2026-33642, a critical vulnerability affecting Kitty, a cross-platform GPU-accelerated terminal emulator. Versions 0.46.2 and earlier contain a flaw in the handle_compose_command() function where unsigned 32-bit arithmetic for composition offsets is susceptible to integer wrapping. This can allow an attacker to bypass bounds checks and trigger heap buffer over-reads or writes within the compose_rectangles() function.

An attacker can exploit this vulnerability by simply sending crafted escape sequences to a Kitty terminal. This requires no user interaction and no non-default configurations. The National Vulnerability Database notes that an attacker merely needs the ability to produce output within a Kitty terminal window, making vectors like malicious files, SSH login banners, or piped content viable attack paths. The severity is rated CVSS 9.9 (CRITICAL).

This vulnerability has been patched in Kitty version 0.47.0. Defenders should prioritize updating all Kitty terminal instances to the latest version immediately. For systems where immediate patching is not feasible, strict input sanitization for any content displayed within Kitty terminals should be considered, though this is a difficult control to implement effectively against arbitrary escape sequence injection.

What This Means For You

  • If your organization uses the Kitty terminal emulator, immediately update to version 0.47.0 or later. This vulnerability is remotely exploitable without user interaction, meaning any system running a vulnerable version that can display output is at risk.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-33642 - Kitty Terminal Heap Over-Read/Write via Crafted Escape Sequences

Sigma YAML — free preview 
title: CVE-2026-33642 - Kitty Terminal Heap Over-Read/Write via Crafted Escape Sequences
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the Kitty terminal emulator with command line arguments that contain escape sequences commonly used to trigger graphical control operations. This rule specifically targets CVE-2026-33642 by looking for the Kitty executable and patterns indicative of escape sequences that could be used to craft the malicious offsets for the heap over-read/write vulnerability in handle_compose_command().
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-33642/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'kitty'
      CommandLine|contains:
          - '\x1b[<' 
          - '\x1b[>'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33642 Vulnerability CVE-2026-33642

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma