CVE-2023-38622

Vulnerability

Integer overflow vulnerability in the VZT facgeometry parsing functionality of GTKWave 3.3.115. Specifically, when allocating the len array during parsing of a specially crafted .vzt file, an integer overflow can occur, leading to a heap-based buffer overflow. This affects the vzt_read.c module, which is used by the vzt2vcd converter, vztminer, and the GTKWave GUI. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .vzt file and convincing a victim to open it. Since GTKWave registers mime types for its supported extensions, a victim may double-click the file from an email attachment or other means, triggering the vulnerable code path. No authentication or special privileges are required; user interaction is limited to opening the file. [1]

Impact

Successful exploitation allows arbitrary code execution in the context of the GTKWave process. The CVSSv3 score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating full compromise of confidentiality, integrity, and availability. [1]

Mitigation

As of the advisory publication (January 2024), the vendor has not released a patched version. Users should avoid opening untrusted .vzt files. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]