CVE-2023-37575

Vulnerability

Multiple use-after-free vulnerabilities exist in the VCD get_vartoken realloc functionality of GTKWave 3.3.115 [1]. The flaw resides in the vcd_parse function, which processes value change dump (VCD) files. The vulnerable code path is reachable when GTKWave opens a specially crafted .vcd file through its GUI or command-line conversion utilities (vcd2lxt, vcd2lxt2, vcd2vzt) [1]. All versions of GTKWave 3.3.115 are affected [1].

Exploitation

An attacker must craft a malicious .vcd file that triggers a use-after-free condition during the reallocation of variable tokens in the vcd_parse function [1]. The attack requires victim interaction: the target must open the malicious file, for example by double-clicking on it in a file manager (since GTKWave registers mime types for wave files) or by loading it through the GUI [1]. No additional privileges are required [1].

Impact

Successful exploitation results in arbitrary code execution in the context of the GTKWave application [1]. The attacker gains full compromise of confidentiality, integrity, and availability (CVSSv3 7.8) [1].

Mitigation

As of the publication date (2024-01-08), no patched version of GTKWave has been released [1]. Users should avoid opening untrusted .vcd files from unknown or suspicious sources [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.