CVE-2023-37573

Vulnerability

Multiple use-after-free vulnerabilities exist in the get_vartoken realloc functionality of GTKWave version 3.3.115 [1]. The issue occurs during parsing of VCD (Value Change Dump) files by the vcd_parse function, which is used in the GUI and command-line conversion utilities (vcd2lxt, vcd2lxt2, vcd2vzt). A specially crafted .vcd file can trigger a use-after-free condition when the parser reallocates memory for variable tokens. No special configuration is required beyond opening the malicious file [1].

Exploitation

An attacker must craft a malicious .vcd file that triggers the use-after-free during the get_vartoken realloc code path [1]. The victim needs to open the file using GTKWave, either via the GUI (e.g., double-clicking a wave file received by email) or by using an affected command-line utility. The attack requires no authentication or network access, only user interaction (opening the file) [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the GTKWave process [1]. The CVSSv3 score is 7.8, indicating high impact on confidentiality, integrity, and availability. An attacker could gain full control of the victim's system, with the ability to read sensitive data, modify files, or execute arbitrary commands [1].

Mitigation

As of the advisory publication date (January 8, 2024), the vendor has confirmed the vulnerability in GTKWave 3.3.115 but no fixed version has been released [1]. Users should avoid opening untrusted .vcd files until a patch is available. No workarounds have been documented. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date.