CVE-2023-35994

Vulnerability

The fstReaderIterBlocks2 function's tdelta initialization logic in GTKWave 3.3.115 contains multiple improper array index validation vulnerabilities (CWE-129). These flaws occur during parsing of specially crafted .fst files. The function fstReaderOpen initiates file parsing, and the vulnerable code path is reached when the victim opens a malicious .fst file using GTKWave's GUI or command-line tools. GTKWave is available on Linux, Windows, and macOS.

Exploitation

An attacker must craft a .fst file with maliciously structured data to trigger improper array index validation. The victim must open this file using GTKWave (e.g., by double-clicking on a .fst attachment received via email, as GTKWave registers MIME types for its supported extensions). No additional authentication or network access is required; the attack vector is local file opening with user interaction.

Impact

Successful exploitation leads to arbitrary code execution in the context of the GTKWave process. The attacker gains the ability to execute arbitrary commands or code, potentially leading to full compromise of the victim's system. The CVSSv3 score is 7.8 (High) with impacts to confidentiality, integrity, and availability.

Mitigation

As of the reference publication date (January 8, 2024), GTKWave 3.3.115 is confirmed vulnerable. No patched version is mentioned in the available references [1]. Users should avoid opening untrusted .fst files with GTKWave until a fix is released. Monitor vendor updates at https://gtkwave.sourceforge.net.