CVE-2023-34436

Vulnerability

An out-of-bounds write vulnerability exists in the lxt2_rd_init function's handling of num_time_table_entries in the LXT2 file format parser of GTKWave version 3.3.115. The flaw resides in lxt2_read.c and is reachable when any GTKWave component (GUI, lxt2vcd, rtlbrowse, lxt2miner) opens a specially crafted .lxt2 file. No special configuration is required beyond the application being able to process the file [1].

Exploitation

An attacker must craft a malicious .lxt2 file with manipulated num_time_table_entries data. The victim must then open this file using GTKWave, which can occur simply by double-clicking the file if mime types are set up, or by using the GTKWave GUI or command-line tools to load the file. No authentication or elevated network access is required; the attack vector is local and relies on user interaction [1].

Impact

Successful exploitation results in arbitrary code execution on the victim's machine. The attacker gains the ability to execute arbitrary commands with the privileges of the user running GTKWave, leading to full compromise of confidentiality, integrity, and availability of data on the affected system [1].

Mitigation

As of the publication date (2024-01-08), no fix has been released. The confirmed vulnerable version is GTKWave 3.3.115. Users should avoid opening untrusted .lxt2 files, monitor GTKWave updates for a patched release, and consider using alternative tools if the risk is unacceptable. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].