VulnerableCode Package Details - pkg:deb/debian/kitty@0.26.5-5

Search for packages

Vulnerability	Summary	Fixed by
VCID-fahg-kn3w-gfdv Aliases: CVE-2025-43929	open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).	0.41.1-2 Affected by 0 other vulnerabilities.
VCID-rbtm-8gfk-sfb8 Aliases: CVE-2026-33633	Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.	0.41.1-2 Affected by 0 other vulnerabilities.
VCID-weae-zqfg-akad Aliases: CVE-2026-33642	Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.	0.41.1-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fahg-kn3w-gfdv
Aliases:
CVE-2025-43929

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

0.41.1-2
Affected by 0 other vulnerabilities.

VCID-rbtm-8gfk-sfb8
Aliases:
CVE-2026-33633

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.

0.41.1-2
Affected by 0 other vulnerabilities.

VCID-weae-zqfg-akad
Aliases:
CVE-2026-33642

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

0.41.1-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jkr3-br86-cuda	In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.	CVE-2022-41322

Vulnerability

Summary

Aliases

VCID-jkr3-br86-cuda

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

CVE-2022-41322

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:53:29.169225+00:00	Debian Oval Importer	Fixing	VCID-jkr3-br86-cuda	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-05T20:09:10.931320+00:00	Debian Importer	Affected by	VCID-rbtm-8gfk-sfb8	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:15:11.775345+00:00	Debian Importer	Affected by	VCID-weae-zqfg-akad	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:04:17.632501+00:00	Debian Importer	Affected by	VCID-fahg-kn3w-gfdv	https://security-tracker.debian.org/tracker/data/json	38.6.0