External risk intelligence

Kitty could allow an internal attacker to run malicious code on user systems.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33642

A memory vulnerability in the Kitty terminal emulator allows an internal attacker to run unauthorized code by sending malicious data to an active terminal window. This could grant the attacker full control over the terminal session and lead to complete compromise of the host system.

1Halo Surface Signal

Out-of-bounds Read

Kovidgoyal Kitty

before 0.47.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-33642

Kitty is a client-side terminal emulator application installed and executed on local user workstations. It is not an internet-facing service, web application, or network gateway. The vulnerability exists within the local terminal process and requires the user to process malicious content, fitting the rubric definition for client-side or local-only software.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Kitty terminal emulator could allow an attacker to execute arbitrary code by sending specially crafted escape sequences. This means that simply displaying malicious content in a Kitty terminal could lead to a compromise of the system, as no user interaction is needed beyond the content being rendered.

Can affect any Kitty user.
Requires only outputting malicious content.
Potentially leads to full system compromise.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending specially crafted escape sequences to a user's Kitty terminal. This would trigger a heap buffer over-read/write vulnerability, allowing the attacker to potentially gain control of the application's memory. The attacker only needs the ability to write output to the terminal, not direct access to the system.

Malicious file or piped content.
No user interaction needed.
Requires output to terminal.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Kitty terminal versions before 0.47.0 is a heap buffer overflow that can be triggered remotely with no user interaction. Attackers would likely find this attractive due to the lack of prerequisites for exploitation, making it a prime candidate for widespread abuse.

No user interaction required.
Exploitation requires only outputting escape sequences.
No KEV or public exploit reported.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize patching Kitty to version 0.47.0 to address a critical heap buffer overflow vulnerability. If immediate patching is not feasible, isolate systems running affected versions of Kitty to prevent exploitation via crafted escape sequences.

Upgrade Kitty to 0.47.0.
Isolate affected Kitty terminals.
Monitor for anomalous terminal behavior.

Frequently asked questions

What is the Kitty terminal emulator?

Kitty is a cross-platform GPU-based terminal emulator. It is used by people to interact with their computer's command-line interface and run various applications directly from the terminal.

How does CVE-2026-33642 allow for vulnerabilities?

This vulnerability, identified as CWE-190 and CWE-787, stems from integer wrapping during bounds validation in the `handle_compose_command()` function. This can lead to a heap buffer over-read or over-write, allowing an attacker to access or modify memory outside of its intended boundaries.

What conditions are needed for an attack using CVE-2026-33642?

An attacker needs the ability to send escape sequences to a Kitty terminal. This could be through a malicious file, an SSH login banner, or piped content. Importantly, no user interaction is required beyond the content being rendered in the terminal.

Who should be concerned about this Kitty vulnerability?

Anyone running Kitty versions prior to 0.47.0 should be concerned. The Halo Surface Signal indicates this vulnerability is 'Very unlikely' to be internet-facing, suggesting it primarily affects local user workstations rather than network services.

What is the first step to address the Kitty vulnerability?

The most immediate step is to upgrade Kitty to version 0.47.0 or later, as this version contains the fix for the vulnerability. If upgrading is not immediately possible, consider isolating systems running affected versions.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.