CVE-2023-37447

Vulnerability

GTKWave 3.3.115 contains multiple out-of-bounds read vulnerabilities in the VCD variable definition section parsing functionality. The issue exists in the vcd_parse function, which handles .vcd files and is shared across the GUI and command-line conversion utilities vcd2lxt, vcd2lxt2, and vcd2vzt. A specially crafted .vcd file can trigger these out-of-bounds reads, leading to arbitrary code execution. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Affected version is exclusively 3.3.115 as confirmed by Cisco Talos [1].

Exploitation

To exploit these vulnerabilities, an attacker must convince a victim to open a malicious .vcd file using GTKWave or one of its conversion utilities (e.g., vcd2lxt). No special privileges or network position is required beyond local file access. The attacker crafts the .vcd file with specific out-of-bounds data in the variable definition section. When vcd_parse processes the file, it reads beyond allocated buffer bounds, enabling control flow hijacking [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the victim process. This results in full compromise of confidentiality, integrity, and availability (CVSSv3 7.8). The attacker gains the same privileges as the user running GTKWave, potentially leading to data theft, modification, or further system compromise [1].

Mitigation

As of the publication date 2024-01-08, no fixed version has been released. The vendor (GTKWave) has not responded with a patch. Users should avoid opening untrusted .vcd files from unknown sources until a patch is made available. No workarounds are documented. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the reference date [1].