CVE-2023-37446

Vulnerability

GTKWave versions 3.3.115 contain multiple out-of-bounds read vulnerabilities in the VCD var definition section parsing functionality. The bug resides in the vcd_parse function, which is shared by the command-line conversion utilities vcd2lxt, vcd2lxt2, vcd2vzt and the GUI code. A specially crafted Value Change Dump (.vcd) file triggers the out-of-bounds read, leading to arbitrary code execution. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). [1]

Exploitation

An attacker must craft a malicious .vcd file and convince a victim to open it using either the GTKWave GUI or one of the affected conversion utilities (vcd2lxt, vcd2lxt2, vcd2vzt). No special privileges or network position are required beyond the ability to deliver the file (e.g., via email attachment or shared folder). The vulnerability is triggered during parsing of the var definition section in the VCD file; no user interaction beyond opening the file is necessary for exploitation. [1]

Impact

Successful exploitation leads to arbitrary code execution in the context of the victim user. The attacker can achieve full compromise of confidentiality, integrity, and availability (CIA) of the affected system. The CVSSv3 score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. [1]

Mitigation

No official patch was available in the referenced sources at the time of publication (2024-01-08). Users should avoid opening untrusted .vcd files with GTKWave or its conversion utilities until a fixed version is released. The vendor was contacted via Talos; it is recommended to monitor the GTKWave project page for updates. [1]