A critical heap buffer overflow in the Kitty terminal emulator allows unauthenticated attackers to achieve remote code execution through malicious output.

The handle_compose_command() function in kitty/graphics.c fails to properly validate composition offsets due to integer wrapping. An unauthenticated attacker can trigger this by sending crafted escape sequences to a terminal window.

With a CVSS score of 9.9, this vulnerability is extremely dangerous as it allows for full control of the host machine. The lack of required user interaction or specific configurations makes this a high-risk vector for attackers who can influence terminal output, such as through SSH banners or piped logs.

Immediate Action: Upgrade all installations of Kitty to version 0.47.0 or higher immediately.

Proactive Monitoring: Audit terminal environments and restrict the ability of untrusted sources to write to terminal outputs where possible.

Compensating Controls: Use terminal wrappers or security-hardened terminal configurations that sanitize input sequences if immediate patching is not feasible.

Public Exploit Available: false

The severity of this remote code execution vulnerability cannot be overstated. Organizations utilizing Kitty for terminal operations must prioritize this update as part of their urgent security maintenance cycle to prevent host system compromise.