Aquasecurity Trivy Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
Description
Aquasecurity Trivy Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
Remediation
FEDERAL DEADLINE: April 8, 2026 (13 days). Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. FEDERAL DEADLINE: April 8, 2026 (13 days). Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA KEV Details
Deadline: April 8, 2026
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
---METADATA---
VENDOR: Kovid Goyal
PRODUCT: Kitty
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
CONFIDENCE: low
MISSING: versions, patch, technical_details
---END_METADATA---
Description Summary:
A security vulnerability has been identified in the cross-platform GPU-based terminal emulator, Kitty.
Executive Summary:
A high-severity vulnerability in the Kitty terminal emulator requires immediate attention to prevent potential system compromise.
Vulnerability Details
CVE-ID: CVE-2026-33633
Affected Software: Kovid Goyal Kitty
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability details are currently sparse, providing no specific information on the attack vector or the authentication requirements. With a CVSS score of 7.5, the issue is considered high risk and likely involves memory corruption or command execution vectors typical of terminal emulators.
Business Impact
A CVSS score of 7.5 indicates a significant risk to the local environment where the terminal is deployed. Exploitation could allow an attacker to gain unauthorized access to the local machine, potentially leading to privilege escalation or the theft of sensitive local session data.
Remediation Plan
Immediate Action: Update the Kitty terminal software to the latest version provided by the developer as soon as a patch is released.
Proactive Monitoring: Monitor for unexpected terminal behavior or unauthorized processes spawned from the terminal environment.
Compensating Controls: Restrict terminal access to trusted users and ensure that the host operating system is hardened against local privilege escalation.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 20, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Security teams should prioritize updating terminal software in environments where high-privilege users interact with untrusted input or remote systems. Proactive monitoring of local system logs is advised until further technical details are disclosed.