CVE-2023-37921
Description
Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearch functionality of GTKWave 3.3.115. A specially crafted .vcd file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the arbitrary write when triggered via the vcd2vzt conversion utility.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple arbitrary write vulnerabilities in GTKWave 3.3.115's VCD sorted bsearch allow code execution via crafted .vcd file.
Vulnerability
Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearch functionality of GTKWave version 3.3.115 [1]. The issue resides in the vcd_parse function used by conversion utilities such as vcd2lxt, vcd2lxt2, and vcd2vzt. A specially crafted .vcd file can trigger an arbitrary write condition, leading to potential code execution.
Exploitation
Exploitation requires a victim to open a malicious .vcd file with GTKWave or its conversion utilities. No authentication or special privileges are needed. The attacker crafts a .vcd file that, when parsed, causes an arbitrary write via the sorted bsearch logic.
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution on the victim's system. The CVSSv3 score is 7.8 (High), with impacts to confidentiality, integrity, and availability all rated as high.
Mitigation
As of the publication date, no official fix has been released. Users are advised to avoid opening untrusted .vcd files until a patch is available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GTKWave/GTKWavev5Range: 3.3.115
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.