VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 8, 2024· Updated Nov 4, 2025

CVE-2023-36916

CVE-2023-36916

Description

Multiple integer overflow vulnerabilities exist in the FST fstReaderIterBlocks2 chain_table allocation functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the allocation of the chain_table_lengths array.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple integer overflows in GTKWave 3.3.115's FST parsing allow arbitrary code execution via a crafted .fst file.

Vulnerability

An integer overflow vulnerability exists in the fstReaderIterBlocks2 function's chain_table_lengths array allocation within GTKWave 3.3.115 [1]. The flaw occurs when parsing a specially crafted .fst file, leading to a heap buffer overflow. The vulnerable code path is reachable when the application opens a malicious file, either via the GUI or command-line tools.

Exploitation

An attacker can exploit this vulnerability by providing a crafted .fst file to a victim. The victim must open the file using GTKWave, which can occur through double-clicking the file or using the gtkwave command. No authentication or special privileges are required [1]. The attack is local, but the file can be delivered via email or other means.

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the victim's user account. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system [1].

Mitigation

As of the publication date, no official patch or fixed version has been released by the vendor. Users are advised to avoid opening untrusted .fst files with GTKWave 3.3.115 until a fix is available [1].

References
  1. TALOS-2023-1798 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • GTKWave/GTKWavellm-fuzzy
    Range: =3.3.115
  • GTKWave/GTKWavev5
    Range: 3.3.115

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.