Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
The handle_compose_command() function in kitty/graphics.c validates composition offsets (x_offset/y_offset) using 32-bit unsigned integer arithmetic that is vulnerable to integer wrapping (integer overflow, CWE-190). Crafted x_offset/y_offset values can pass range verification after wrapping, and subsequently cause massive out-of-bounds heap buffer access in the compose_rectangles() function — both read (CWE-125) and write (CWE-787). An attacker can deliver malicious escape sequences in multiple ways: through a malicious file, SSH login banner, or piped content — without requiring any user interaction and without custom configuration.
An attacker can gain unauthorized read and write access to the heap memory of the terminal process, which may lead to leakage of sensitive data from memory, data corruption, or potential remote code execution (RCE) in the context of the user running the terminal.
Update Kitty to version 0.47.0, in which the bug has been fixed. The patch is available in the project repository (commit e9661f0f3afb4e4dbffa509adfb3df3c9780ad34). Until the update is applied, avoid opening untrusted files, connecting to untrusted SSH servers, and processing untrusted data in the Kitty terminal window.
Kitty in versions 0.46.2 and earlier (all platforms supported by the application).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H