📄 Description (English)
Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
🤖 AI Executive Summary
CVE-2026-33633 is a heap buffer overflow vulnerability in Kitty terminal versions 0.46.2 and below, triggered via APC graphics protocol commands with PNG format declarations. An attacker with stdin access can crash the terminal immediately, with potential for remote code execution through controlled overflow of both length and content. This vulnerability poses significant risk to organizations using Kitty for remote terminal access or automated terminal processing.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 23, 2026 03:40
🇸🇦 Saudi Arabia Impact Assessment
Saudi government agencies (NCA, NCSC) and financial institutions (SAMA-regulated banks) using Kitty for secure terminal access face immediate DoS risk. Telecommunications sector (STC, Mobily) and energy sector (Saudi Aramco) utilizing Kitty in automated monitoring or remote administration systems are vulnerable to service disruption and potential lateral movement. Healthcare organizations (MOH) and critical infrastructure operators relying on Kitty for administrative access could experience operational disruption. The vulnerability is particularly concerning for organizations using Kitty in containerized or cloud environments where multiple processes may share terminal access.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Energy and Utilities
Healthcare
Critical Infrastructure
Information Technology Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Kitty versions 0.46.2 and below using asset inventory and endpoint detection tools
2. Restrict stdin access to Kitty terminals to trusted processes only; implement principle of least privilege
3. Disable APC graphics protocol support if not required (configure Kitty with graphics disabled)
4. Monitor for unexpected terminal crashes and correlate with APC protocol commands in logs
PATCHING GUIDANCE:
1. Upgrade to Kitty version 0.47.0 or later immediately when available
2. For systems unable to patch immediately, implement network segmentation to limit untrusted input sources
3. Deploy application whitelisting to prevent unauthorized processes from writing to terminal stdin
COMPENSATING CONTROLS:
1. Implement input validation and sanitization for any process writing to Kitty stdin
2. Use terminal multiplexers (tmux, screen) with restricted access controls as intermediary layer
3. Enable core dumps and crash logging to detect exploitation attempts
4. Deploy host-based IDS rules to detect APC protocol commands with PNG format declarations (f=100)
DETECTION RULES:
1. Monitor for Kitty process crashes correlated with stdin writes containing APC sequences
2. Alert on PNG format declarations (f=100) in terminal input streams
3. Track process creation and stdin redirection patterns to Kitty instances
4. Implement YARA rules to detect malicious APC graphics protocol payloads in network traffic
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات Kitty 0.46.2 وما دونها باستخدام أدوات جرد الأصول والكشف عن نقاط النهاية
2. تقييد الوصول إلى stdin لطرفيات Kitty للعمليات الموثوقة فقط؛ تطبيق مبدأ أقل امتياز
3. تعطيل دعم بروتوكول APC للرسومات إذا لم يكن مطلوباً (تكوين Kitty مع تعطيل الرسومات)
4. مراقبة أعطال الطرفية غير المتوقعة والربط مع أوامر بروتوكول APC في السجلات
إرشادات التصحيح:
1. الترقية إلى إصدار Kitty 0.47.0 أو أحدث فوراً عند توفره
2. بالنسبة للأنظمة غير القادرة على التصحيح فوراً، تطبيق تقسيم الشبكة لتحديد مصادر الإدخال غير الموثوقة
3. نشر قائمة بيضاء للتطبيقات لمنع العمليات غير المصرح بها من الكتابة إلى stdin الطرفية
الضوابط البديلة:
1. تطبيق التحقق من صحة الإدخال والتطهير لأي عملية تكتب إلى stdin في Kitty
2. استخدام مضاعفات الطرفية (tmux, screen) مع ضوابط الوصول المقيدة كطبقة وسيطة
3. تفعيل core dumps وتسجيل الأعطال للكشف عن محاولات الاستغلال
4. نشر قواعد IDS المستندة إلى المضيف للكشف عن أوامر بروتوكول APC مع إعلانات تنسيق PNG (f=100)
قواعد الكشف:
1. مراقبة أعطال عملية Kitty المرتبطة بكتابات stdin تحتوي على تسلسلات APC
2. التنبيه على إعلانات تنسيق PNG (f=100) في تدفقات إدخال الطرفية
3. تتبع أنماط إنشاء العمليات وإعادة توجيه stdin إلى مثيلات Kitty
4. تطبيق قواعد YARA للكشف عن حمولات بروتوكول APC للرسومات الضارة في حركة المرور
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information security policies and procedures
ECC 2024 A.5.2.1 - Access control and authentication
ECC 2024 A.6.2.1 - Vulnerability management and patching
ECC 2024 A.7.1.1 - Cryptography and secure communications
ECC 2024 A.8.1.1 - Incident detection and response
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.MA-2 - Address vulnerabilities and apply patches
SAMA CSF DE.CM-1 - Monitor and detect anomalies
SAMA CSF RS.MI-1 - Establish incident response procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.1 - Asset management
ISO 27001:2022 A.8.2 - Data classification and handling
ISO 27001:2022 A.12.6 - Capacity and resource management
ISO 27001:2022 A.14.2 - Information security requirements in supplier relationships
🔗 References & Sources 3
🔗
https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
security-advisories@github.com
Patch
🔗
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
kovidgoyal:kitty