kitty - Debian Package Tracker

general

source: kitty (main)
version: 0.47.4-1
maintainer: Nilesh Patra (DMD)
uploaders: Maytham Alsudany [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.19.3-1
o-o-sec: 0.19.3-1+deb11u1
oldstable: 0.26.5-5
stable: 0.41.1-2
stable-sec: 0.41.1-2+deb13u1
stable-p-u: 0.41.1-2+deb13u1
testing: 0.47.3-1
unstable: 0.47.4-1

versioned links

0.19.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.19.3-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.26.5-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.41.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.41.1-2+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.47.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.47.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

kitty (1 bugs: 0, 0, 1, 0)
kitty-doc
kitty-shell-integration
kitty-terminfo

action needed

5 security issues in trixie high

There are 5 open security issues in trixie.

5 important issues:

CVE-2026-42850: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
CVE-2026-42851: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
CVE-2026-54055: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
CVE-2026-54056: Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
CVE-2026-54057: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

Created: 2026-06-13 Last update: 2026-06-21 18:00

6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:

CVE-2026-33633: Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
CVE-2026-42850: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
CVE-2026-42851: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
CVE-2026-54055: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
CVE-2026-54056: Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
CVE-2026-54057: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

Created: 2026-05-22 Last update: 2026-06-21 18:00

8 security issues in bookworm high

There are 8 open security issues in bookworm.

7 important issues:

CVE-2026-33633: Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0.
CVE-2026-33642: Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0.
CVE-2026-42850: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
CVE-2026-42851: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
CVE-2026-54055: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.
CVE-2026-54056: Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
CVE-2026-54057: Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

1 issue left for the package maintainer to handle:

CVE-2025-43929: (needs triaging) open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-04-20 Last update: 2026-06-21 18:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-06-26 Last update: 2026-06-29 09:01

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-05-26 Last update: 2026-06-29 08:00

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-21 Last update: 2026-06-21 23:01

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

kitty: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2020-06-01 Last update: 2020-06-01 01:13

debian/patches: 6 patches to forward upstream low

Among the 15 debian patches available in version 0.47.4-1 of the package, we noticed the following issues:

6 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-21 20:30

testing migrations

This package is part of the ongoing testing transition known as auto-upperlimit-python3. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: python3-defaults
- Migration status for kitty (0.47.3-1 to 0.47.4-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Lintian check waiting for test results on riscv64, ppc64el, amd64, s390x, i386 - info
- ∙ ∙ Reproducibility check waiting for results on i386 - info
- ∙ ∙ Depends: kitty python3-defaults (not considered)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/k/kitty.html
- ∙ ∙ Not reproduced on amd64 (not a regression): kitty, kitty-doc
- ∙ ∙ Not reproduced on arm64 (not a regression): kitty, kitty-doc
- ∙ ∙ Not reproduced on armhf (not a regression): kitty, kitty-doc
- ∙ ∙ 8 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-06-21] Accepted kitty 0.47.4-1 (source) into unstable (Maytham Alsudany)
[2026-06-20] kitty 0.47.3-1 MIGRATED to testing (Debian testing watch)
[2026-06-13] Accepted kitty 0.47.3-1 (source) into unstable (Nilesh Patra)
[2026-05-28] Accepted kitty 0.41.1-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Nilesh Patra)
[2026-05-28] Accepted kitty 0.41.1-2+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Nilesh Patra)
[2026-05-26] kitty 0.47.0-3 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted kitty 0.47.0-3 (source) into unstable (Nilesh Patra)
[2026-05-21] Accepted kitty 0.47.0-2 (source) into unstable (Nilesh Patra)
[2026-05-21] Accepted kitty 0.47.0-1 (source) into unstable (Nilesh Patra)
[2026-05-09] kitty 0.46.2-1 MIGRATED to testing (Debian testing watch)
[2026-04-30] Accepted kitty 0.46.2-1 (source) into unstable (Maytham Alsudany)
[2026-03-22] kitty 0.46.1-1 MIGRATED to testing (Debian testing watch)
[2026-03-17] Accepted kitty 0.46.1-1 (source) into unstable (Nilesh Patra)
[2026-02-28] kitty 0.45.0-2 MIGRATED to testing (Debian testing watch)
[2026-02-22] Accepted kitty 0.45.0-2 (source) into unstable (Nilesh Patra)
[2026-01-08] kitty 0.45.0-1 MIGRATED to testing (Debian testing watch)
[2026-01-02] Accepted kitty 0.45.0-1 (source) into unstable (Nilesh Patra)
[2025-12-02] kitty 0.44.0-1 MIGRATED to testing (Debian testing watch)
[2025-11-26] Accepted kitty 0.44.0-1 (source) into unstable (Nilesh Patra)
[2025-10-24] kitty 0.43.1-1 MIGRATED to testing (Debian testing watch)
[2025-10-18] Accepted kitty 0.43.1-1 (source) into unstable (Nilesh Patra)
[2025-10-04] kitty 0.42.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-27] Accepted kitty 0.42.2-1 (source) into unstable (Nilesh Patra)
[2025-07-15] Accepted kitty 0.42.1-1 (source) into experimental (Maytham Alsudany)
[2025-06-11] kitty 0.41.1-2 MIGRATED to testing (Debian testing watch)
[2025-06-05] Accepted kitty 0.41.1-2 (source) into unstable (Nilesh Patra)
[2025-06-01] Accepted kitty 0.19.3-1+deb11u1 (source) into oldstable-security (Tobias Frost)
[2025-05-06] kitty 0.41.1-1 MIGRATED to testing (Debian testing watch)
[2025-04-26] Accepted kitty 0.41.1-1 (source) into unstable (Nilesh Patra)
[2025-03-17] Accepted kitty 0.40.0-1 (source) into unstable (Maytham Alsudany)

bugs [bug history graph]

all: 1
RC: 0
I&N: 0
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.47.4-1