CVE-2023-37418

Vulnerability

GTKWave 3.3.115 contains multiple out-of-bounds write vulnerabilities in the VCD parse_valuechange portdump functionality, triggered when parsing a crafted .vcd file. The issue exists in the vcd_parse function used by conversion utilities such as vcd2lxt, vcd2lxt2, and vcd2vzt, but not in vcd_recorder.c. The vulnerability can be reached via the graphical interface or the vcd2vzt command-line tool. Affected version: GTKWave 3.3.115 [1].

Exploitation

An attacker must craft a malicious .vcd file and convince a victim to open it using GTKWave or its conversion tools. No special privileges or network access are required beyond local file interaction. The exploit involves the VCD parsing loop (vcd_parse) misinterpreting malformed tokens, leading to an out-of-bounds write when parse_valuechange handles portdump data. Opening the file in the GUI or using the vcd2vzt utility triggers the vulnerability [1].

Impact

Successful exploitation yields arbitrary code execution with the privileges of the victim. This can result in full compromise of confidentiality, integrity, and availability (CVSS 7.8, High). The attacker gains the ability to execute arbitrary code, potentially escalate privileges, or install malware [1].

Mitigation

As of the advisory date (2024-01-08), no official patch or fixed version has been released. Users should avoid opening untrusted .vcd files with GTKWave 3.3.115 or its conversion utilities. Monitor the vendor's website (https://gtkwave.sourceforge.net) for updates. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].