CVE-2023-37576

Vulnerability

Multiple use-after-free vulnerabilities exist in the VCD get_vartoken realloc functionality of GTKWave version 3.3.115 [1]. The bug resides in the VCD parsing logic (vcd_parse) used by various conversion utilities (e.g., vcd2vzt, vcd2lxt) and the GUI component [1]. A specially crafted .vcd file can trigger a use-after-free when reallocating memory during token handling [1]. The vulnerability is confirmed for version 3.3.115 [1].

Exploitation

An attacker must provide a malicious .vcd file to the victim [1]. No authentication or special privileges are required. The victim only needs to open the file, either by double-clicking it (as GTKWave registers mime types for its supported extensions) or by using a conversion utility like vcd2vzt [1]. The vulnerable code path is reached when vcd_parse processes a crafted token that triggers a use-after-free during the get_vartoken realloc operation [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the GTKWave process [1]. The impact is high for confidentiality, integrity, and availability (CVSS 7.8) [1]. Depending on the attacker's control, this could result in full system compromise, data exfiltration, or further lateral movement.

Mitigation

As of the available references [1], no patched version has been released. The vendor has been notified (TALOS-2023-1806) but no fix or workaround is documented. Users should avoid opening untrusted .vcd files from unknown sources until an update is provided. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities catalog.