VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 8, 2024· Updated Nov 4, 2025

CVE-2023-35996

CVE-2023-35996

Description

Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta indexing when signal_lens is 0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple improper array index validation in GTKWave's fstReaderIterBlocks2 tdelta function allows arbitrary code execution via a crafted .fst file.

Vulnerability

The vulnerability resides in the fstReaderIterBlocks2 function's tdelta handling within GTKWave version 3.3.115 [1]. Specifically, improper validation of array indices occurs when signal_lens is zero, allowing out-of-bounds access. This code path is triggered when a user opens a specially crafted .fst file using GTKWave's file parsing routines.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .fst file with manipulated tdelta indexing [1]. No authentication or special privileges are required; the victim only needs to open the file (e.g., by double-clicking it in a file manager or via GTKWave's open dialog). The attack is local and relies on user interaction.

Impact

Successful exploitation leads to arbitrary code execution in the context of the user running GTKWave. This can result in full compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

As of the advisory publication date (2024-01-08), no patched version of GTKWave has been released [1]. Users are advised to avoid opening .fst files from untrusted sources until a fix is available. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. TALOS-2023-1791 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • GTKWave/GTKWavellm-fuzzy
    Range: = 3.3.115
  • GTKWave/GTKWavev5
    Range: 3.3.115

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.