CVE-2023-35955

Vulnerability

The vulnerability resides in the fstReaderIterBlocks2 function's VCDATA parsing within GTKWave 3.3.115, specifically in the decompression routine LZ4_decompress_safe_partial. It is a heap-based buffer overflow (CWE-119). The affected code path is reachable when a user opens a specially-crafted .fst file via fstReaderOpen. [1]

Exploitation

An attacker must craft a malicious .fst file and convince a victim to open it. Because GTKWave registers mime types for its supported extensions, simply double-clicking the file (e.g., from an email attachment) triggers the vulnerability. No authentication is required; only user interaction (opening the file) is needed. The overflow occurs during the decompression step when processing crafted VCDATA blocks. [1]

Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running GTKWave. This leads to full compromise of confidentiality, integrity, and availability. The CVSSv3 score is 7.8 (High). [1]

Mitigation

As of the Talos advisory (TALOS-2023-1785), no patched version has been released. GTKWave 3.3.115 is confirmed vulnerable. Users should avoid opening untrusted .fst files until a fix is available. No workaround has been provided. [1]