NIXPKGS-2026-1691

GitHub issue published on

Permalink CVE-2026-33642

9.9 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

updated 2 days, 12 hours ago by @LeSuisse Activity log

Created suggestion 3 days, 17 hours ago
@LeSuisse ignored
9 packages
- kittysay
- kitty-img
- kitty-themes
- kittycad-kcl-lsp
- mailman-hyperkitty
- haskellPackages.discokitty
- mailmanPackages.hyperkitty
- mailmanPackages.mailman-hyperkitty
- vimPlugins.nvim-treesitter-parsers.kitty
2 days, 12 hours ago
@LeSuisse accepted 2 days, 12 hours ago
@LeSuisse published on GitHub 2 days, 12 hours ago

Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.

References

https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x exploitx_refsource_CONFIRM
https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34 x_refsource_MISC

Affected products

kitty

==< 0.47.0

Matching in nixpkgs

pkgs.kitty

Fast, feature-rich, GPU based terminal emulator

nixos-unstable 0.46.2
- nixpkgs-unstable 0.46.2
- nixos-unstable-small 0.46.2
nixos-25.11 0.44.0
- nixos-25.11-small 0.44.0
- nixpkgs-25.11-darwin 0.44.0

Ignored packages (9)

pkgs.kittysay

Cowsay, but with a cute kitty :3

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1
nixos-25.11 0.8.0
- nixos-25.11-small 0.8.0
- nixpkgs-25.11-darwin 0.8.0

pkgs.kitty-img

Print images inline in kitty

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0
nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.kitty-themes

Themes for the kitty terminal emulator

nixos-unstable 0-unstable-2026-03-31
- nixpkgs-unstable 0-unstable-2026-03-31
- nixos-unstable-small 0-unstable-2026-03-31
nixos-25.11 0-unstable-2025-10-24
- nixos-25.11-small 0-unstable-2025-10-24
- nixpkgs-25.11-darwin 0-unstable-2025-10-24

pkgs.kittycad-kcl-lsp

KittyCAD KCL language server

nixos-unstable 0.1.71
- nixpkgs-unstable 0.1.71
- nixos-unstable-small 0.1.71
nixos-25.11 0.1.71
- nixos-25.11-small 0.1.71
- nixpkgs-25.11-darwin 0.1.71

pkgs.mailman-hyperkitty

Mailman archiver plugin for HyperKitty

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.haskellPackages.discokitty

DisCoCat implementation

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.mailmanPackages.hyperkitty

Archiver for GNU Mailman v3

nixos-unstable 1.3.12
- nixpkgs-unstable 1.3.12
- nixos-unstable-small 1.3.12
nixos-25.11 1.3.12
- nixos-25.11-small 1.3.12
- nixpkgs-25.11-darwin 1.3.12

pkgs.mailmanPackages.mailman-hyperkitty