CVE-2023-37443

Vulnerability

Multiple out-of-bounds read vulnerabilities exist in the VCD variable definition section parsing code of GTKWave 3.3.115 [1]. The flaw resides in the legacy VCD parsing code used by both the GUI and command-line conversion utilities. An attacker can trigger these by providing a specially crafted .vcd file. The issue is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer [1].

Exploitation

Exploitation requires no authentication or special privileges. The attacker crafts a malicious .vcd file and convinces a victim to open it (e.g., via email or shared link) in GTKWave's GUI or one of its conversion tools (vcd2lxt, vcd2lxt2, vcd2vzt). Once the file is opened, the vulnerable parsing logic is triggered, leading to an out-of-bounds read [1].

Impact

Successful exploitation allows arbitrary code execution in the context of the GTKWave process. Given the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), an attacker can achieve full compromise of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2024-01-08), no official fix for GTKWave 3.3.115 has been disclosed in the available references [1]. Users are advised to avoid opening untrusted .vcd files until a patched version is released. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.