CVE-2023-32650

Vulnerability

An integer overflow vulnerability (CWE-190) exists in the FST_BL_GEOM parsing maxhandle functionality of GTKWave 3.3.115 [1]. The flaw is present only when GTKWave is compiled as a 32-bit binary. A specially crafted .fst file can trigger an integer overflow, leading to memory corruption. The vulnerable code path is reachable when a victim opens a malicious .fst file via the GUI or command line tools, as GTKWave sets up file associations that allow opening such files by double-clicking [1].

Exploitation

An attacker must craft a malicious .fst file that triggers the integer overflow in the maxhandle parsing routine [1]. The victim then needs to open this file using GTKWave, either by double-clicking (exploiting the MIME association) or by using the File->Open dialog or command line. No authentication or special privileges are required beyond the victim's normal user permissions. The attack complexity is high (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) [1] due to the 32-bit compilation requirement and the need for user interaction.

Impact

Successful exploitation allows an attacker to achieve memory corruption, potentially leading to arbitrary code execution (RCE) in the context of the GTKWave process [1]. This could result in full compromise of the victim's data and system, including disclosure, modification, or destruction of information, and execution of arbitrary commands with the victim's privileges.

Mitigation

As of the publication date of the Talos advisory (2024-01-08), no official patch for GTKWave 3.3.115 has been released [1]. Users are advised to avoid opening .fst files from untrusted sources, and to use 64-bit builds of GTKWave where available, as the vulnerability only affects 32-bit compiled binaries. If possible, disable file associations for .fst files or use alternative wave viewers until a fixed version is provided by the vendor. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.