Critical Kitty Terminal Vulnerabilities Allow RCE via Image and Graphics Handling
Ubuntu security advisory USN-8442-1 addresses two critical vulnerabilities in the kitty terminal emulator that could allow remote code execution through malformed image data and graphics commands. Attackers with terminal input access can trigger crashes or execute arbitrary code.
TL;DR
- Two CVEs discovered in kitty terminal: CVE-2026-33633 (image data handling) and CVE-2026-33642 (graphics commands)
- Both vulnerabilities allow denial of service or arbitrary code execution when attacker can write to terminal input or inject escape sequences
- Affects systems running vulnerable kitty versions; patch available via Ubuntu security update USN-8442-1
- Risk is elevated for shared terminal environments, SSH sessions, and systems processing untrusted terminal output
Ubuntu has released security update USN-8442-1 addressing two critical vulnerabilities in the kitty terminal emulator. These flaws stem from improper handling of image data and graphics protocol commands, creating pathways for both denial of service and arbitrary code execution attacks.
The vulnerabilities are particularly concerning because they can be triggered by attackers who gain write access to a terminal's input stream or can inject malicious escape sequences. This threat model is relevant in shared computing environments, SSH sessions, and scenarios where terminal output from untrusted sources is displayed.
System administrators and users relying on kitty should prioritize applying the security patch to mitigate exploitation risk.
Vulnerability Details
- CVE-2026-33633: Improper image data handling allows crash or code execution via terminal input
- CVE-2026-33642: Graphics command processing flaw enables denial of service or arbitrary code execution through escape sequences
- Both vulnerabilities require attacker capability to write to terminal input or inject escape sequences
- Impact ranges from service disruption to full system compromise depending on kitty process privileges
Attack Surface and Risk Assessment
- Shared terminal environments where multiple users or processes can inject input
- Remote SSH sessions displaying untrusted terminal output or log data
- Automated systems processing terminal output from external sources without sanitization
- Terminal multiplexers and session managers that relay user input to kitty instances
- Web-based terminal emulators or terminal-as-a-service platforms using kitty backend
Remediation Guidance
- Apply Ubuntu security update USN-8442-1 immediately to affected systems
- Verify kitty version post-patch to confirm vulnerability resolution
- Restrict terminal input sources and validate escape sequence handling in upstream applications
- Monitor for suspicious graphics commands or malformed image data in terminal logs
- Consider running kitty with minimal privileges where feasible
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.