CVE-2023-35956

Vulnerability

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 VCDATA parsing functionality of GTKWave version 3.3.115. The flaw is triggered during decompression via the function fastlz_decompress, where a specially-crafted .fst file can cause out-of-bounds writes on the heap. The vulnerable code path is reached when the user opens a malicious .fst file, either through the GUI or command-line tools. [1]

Exploitation

An attacker must craft a malicious .fst file that exploits the heap overflow in the VCDATA decompression routine. The victim must open the file using GTKWave 3.3.115, either by double-clicking (as GTKWave registers mime types for its extensions) or via a command-line invocation. No special privileges or authentication are required beyond user interaction. [1]

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the user running GTKWave. The CVSS v3.1 score is 7.8 (High) with confidentiality, integrity, and availability all rated as High, indicating full compromise of the affected system. [1]

Mitigation

As of the publication date (2024-01-08), no patched version of GTKWave has been released by the vendor. Users should avoid opening untrusted .fst files until an update is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]