In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup. https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2 https://github.com/kovidgoyal/kitty/commit/f05783e64d5fa62e1aed603e8d69aced5e49824f https://sw.kovidgoyal.net/kitty/changelog/#detailed-list-of-changes https://bugs.gentoo.org/868543
Created kitty tracking bugs for this issue: Affects: epel-all [bug 2129748] Affects: fedora-all [bug 2129749]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.