CVE-2022-41322 in Kitty
Summary
by MITRE • 09/23/2022
In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2025
The vulnerability identified as CVE-2022-41322 affects the Kitty terminal emulator version 0.26.1 and earlier, representing a critical security flaw that enables arbitrary code execution through improper input validation. This vulnerability specifically targets the desktop notification escape sequence implementation within the terminal application, creating a pathway for attackers to execute malicious code on affected systems. The flaw exists in the manner in which Kitty processes escape sequences that trigger desktop notifications, failing to properly sanitize or validate user-controlled input data.
The technical nature of this vulnerability stems from insufficient validation mechanisms in the desktop notification handling code within Kitty's terminal emulation framework. When the terminal receives escape sequences designed to generate desktop notifications, the application does not adequately verify the contents of these sequences before processing them. This validation gap allows attackers to craft malicious escape sequences that contain executable code or commands, which then get interpreted and executed when the notification is displayed. The vulnerability operates under CWE-20, which classifies it as a weakness in input validation, specifically where escape sequences are not properly sanitized. The attack vector requires user interaction through a click on the notification popup, making it a form of social engineering that combines technical exploitation with user behavior manipulation.
The operational impact of this vulnerability is significant as it allows remote code execution on systems where Kitty is installed and actively used. An attacker who can inject malicious content into a terminal session can potentially execute arbitrary commands with the privileges of the user running Kitty. The requirement for user interaction through clicking on a notification popup makes this attack more difficult to automate but still poses a real threat in environments where users regularly interact with terminal applications. The vulnerability affects systems where Kitty is used as a terminal emulator, particularly in development environments, server management scenarios, or any context where users might encounter untrusted content within terminal sessions. This type of vulnerability falls under ATT&CK technique T1059, which covers execution through command and scripting interpreters, as the malicious code execution occurs through terminal command processing.
The exploitation of this vulnerability requires a specific attack chain where an attacker first needs to inject malicious content into a terminal session that will be displayed to the user. Once the user views this content and clicks on the resulting notification popup, the malicious escape sequence is processed, leading to arbitrary code execution. This makes the vulnerability particularly dangerous in environments where users frequently interact with terminal applications and may encounter content from untrusted sources. The fix for this vulnerability involves implementing proper input validation and sanitization for escape sequences that trigger desktop notifications, ensuring that all user-controlled data is properly validated before any processing occurs. Security professionals should ensure that all systems using Kitty are updated to version 0.26.2 or later, which contains the necessary patches to address this validation weakness and prevent exploitation. Organizations should also consider implementing additional security measures such as terminal session monitoring and user education about the risks of interacting with untrusted content in terminal applications.