CVE-2023-36861

Vulnerability

An out-of-bounds write vulnerability exists in the LZMA_read_varint functionality of GTKWave version 3.3.115 when parsing specially crafted .vzt (Verilog Zipped Trace) files. The flaw resides in the VZT parsing code within vzt_rd_init_smp and related functions used by the GUI, vzt2vcd, and vztminer tools. No special configuration is required; any victim who opens a malicious .vzt file triggers the vulnerable code path [1].

Exploitation

An attacker must craft a malicious .vzt file that triggers the out-of-bounds write in the LZMA_read_varint function. The victim must open this file using GTKWave (e.g., by double-clicking the file if mime-types are set, or via the command line). No authentication or network access is needed beyond file delivery (e.g., email attachment or download). The attacker does not require any prior access or interaction beyond convincing the victim to open the file [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the victim's user session. The CVSSv3 score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The attacker can achieve full compromise of the affected system, limited only by the privileges of the user running GTKWave [1].

Mitigation

As of the publication date (2024-01-08), no patched version has been released by the vendor. Users should avoid opening .vzt files from untrusted sources. If possible, restrict file type associations for .vzt files to prevent automatic opening. Monitor vendor updates for a future fix. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].