Kitty Heap Buffer Overflow Vulnerability in Graphics Protocol Handler Allowing Denial-of-Service and Potential Remote Code Execution

A heap buffer overflow vulnerability has been identified in Kitty, a cross-platform GPU-based terminal, in versions through 0.46.2. The issue arises in the graphics protocol handler, specifically within the 'load_image_data()' function. The vulnerability can be exploited by any process that writes to the terminal's standard input, causing Kitty to crash immediately. The overflow is triggered by an APC graphics protocol command that includes a PNG format declaration, where the payload exceeds twice the initial buffer capacity. This attacker-controlled overflow leads to a confirmed denial-of-service condition and potentially allows for remote code execution.

Impact

Exploitation of this vulnerability causes an immediate crash of the Kitty process, leading to a denial-of-service condition. However, the nature of the heap buffer overflow could allow for more severe consequences, such as remote code execution, especially considering the vulnerability can be triggered by any process with write access to the terminal's stdin.

Reproduction

The vulnerability can be reproduced by sending a specially crafted APC graphics protocol command with a PNG format declaration to a Kitty terminal. This can be done using a command that echoes the payload base64-encoded, which, when decoded, exceeds the buffer capacity, causing a heap overflow. The issue can be consistently reproduced in a Kitty debug build with sanitizers enabled, where the crash occurs immediately. In a regular build, the command may need to be adjusted to ensure a reliable crash.

Remediation

Users are advised to update to Kitty version 0.47.0, where this vulnerability has been fixed.