CVE-2023-37444

Vulnerability

In GTKWave 3.3.115, the VCD parsing code (both in GUI and conversion utilities like vcd2lxt, vcd2lxt2, vcd2vzt) contains multiple out-of-bounds read flaws in the variable definition section. The vcd_parse function processes each line and executes different switch blocks based on tokens; improper bounds checking leads to out-of-bounds reads when handling specially crafted .vcd files. This vulnerability is identified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) [1].

Exploitation

An attacker must craft a malicious .vcd file that triggers the out-of-bounds read during parsing. No authentication or special network position is required; the victim simply needs to open the file using GTKWave's GUI or a command-line conversion tool. The vulnerability is triggered during the parsing of the var definition section, without requiring any user interaction beyond opening the file [1].

Impact

Successful exploitation can lead to arbitrary code execution in the context of the GTKWave process. The CVSS score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact. An attacker could potentially gain full control over the affected system [1].

Mitigation

As of the advisory date (January 2024), no patched version had been released. The vendor (GTKWave) was notified and the vulnerability was confirmed. Users should avoid opening untrusted .vcd files from unknown sources. The specific version 3.3.115 is confirmed vulnerable; users should monitor for updates from the official website. No workaround beyond file handling precautions is available [1].