VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 8, 2024· Updated Nov 4, 2025

CVE-2023-35995

CVE-2023-35995

Description

Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta indexing when signal_lens is 1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GTKWave 3.3.115 suffers from improper array index validation in fstReaderIterBlocks2 tdelta, enabling arbitrary code execution via a malicious .fst file.

Vulnerability

Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave version 3.3.115. The flaw specifically affects the tdelta indexing when signal_lens is 1. A specially crafted .fst file can trigger these vulnerabilities, leading to arbitrary code execution [1].

Exploitation

An attacker must create a malicious .fst file that exploits the improper array index validation. The victim needs to open this file using GTKWave, either by double-clicking on the file (as GTKWave sets up mime types for its supported extensions) or via the GUI. No authentication is required, and the attack is local (the user opens the file) [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution with the privileges of the victim. This can lead to full compromise of confidentiality, integrity, and availability (CIA) on the affected system [1].

Mitigation

As of the publication date (2024-01-08), no fixed version has been released. Users should avoid opening untrusted .fst files from unknown sources. The vendor has been notified, but no patch is available yet [1].

References
  1. TALOS-2023-1791 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • GTKWave/GTKWavellm-fuzzy
    Range: = 3.3.115
  • GTKWave/GTKWavev5
    Range: 3.3.115

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.