CVE-2023-38618

Vulnerability

GTKWave 3.3.115 contains multiple integer overflow vulnerabilities in the VZT facgeometry parsing functionality, specifically when allocating the rows array. The vulnerability is triggered by parsing specially crafted .vzt files in vzt_rd_init_smp, a function used by the VZT to VCD converter, vztminer, and the GTKWave GUI [1]. The issue is classified as CWE-190 (Integer Overflow or Wraparound).

Exploitation

An attacker must craft a malicious .vzt file that induces an integer overflow when the rows array is allocated. The victim needs to open the file via GTKWave GUI (e.g., by double-clicking the file due to registered MIME types) or via affected command-line tools like vzt2vcd or vztminer. No authentication or special privileges are required beyond user interaction [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the victim application. The CVSSv3 score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the report date, the vulnerability was confirmed in GTKWave 3.3.115. No fixed version has been publicly released [1]. Users should avoid opening untrusted .vzt files until a patch is available. The CVE is not currently listed in the KEV catalog.