CVE-2023-36915

Vulnerability

Multiple integer overflow vulnerabilities exist in the fstReaderIterBlocks2 function of GTKWave 3.3.115 during the allocation of the chain_table array. The flaw resides in the FST file parsing code invoked by fstReaderOpen. A specially crafted .fst file can cause integer overflows when computing the size of the chain_table allocation, leading to a heap buffer overflow. No special configuration is required; the vulnerable code path is reachable simply by opening a malicious file. Affected version is GTKWave 3.3.115 [1].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious .fst file and delivering it to a victim. The attack requires user interaction—the victim must open the file using GTKWave (e.g., by double-clicking the file or loading it via the GUI). GTKWave registers file extensions with MIME types, so a victim may unknowingly trigger the vulnerability by opening an email attachment. No authentication or network access is needed beyond local file access [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the GTKWave process. The vulnerabilities affect the allocation of the chain_table array, and exploitation can lead to full compromise of confidentiality, integrity, and availability. The CVSSv3 score is 7.8, with a vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1].

Mitigation

As of the advisory publication date (January 8, 2024), no patched version of GTKWave has been released. The vendor was notified and confirmed the vulnerability, but a fix is not yet available. Users should avoid opening untrusted .fst files with GTKWave 3.3.115 until a patch is provided. There is no known workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the date of this report [1].