VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 8, 2024· Updated Nov 4, 2025

CVE-2023-38648

CVE-2023-38648

Description

Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_get_facname decompression functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the out-of-bounds write perfomed by the prefix copy loop.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple out-of-bounds write vulnerabilities in GTKWave 3.3.115's VZT decompression allow arbitrary code execution via a malicious .vzt file.

Vulnerability

The vulnerability is an out-of-bounds write in the vzt_rd_get_facname decompression function of GTKWave 3.3.115 [1]. It occurs during a prefix copy loop when parsing a specially crafted .vzt file. The issue affects the VZT file format handling and can be triggered by opening a malicious file.

Exploitation

An attacker must convince a victim to open a malicious .vzt file, for example via email or file sharing [1]. No authentication or special network access is required. The victim only needs to use GTKWave to open the file, which may happen automatically if the file type is associated with GTKWave.

Impact

Successful exploitation leads to arbitrary code execution in the context of the user running GTKWave [1]. This can result in full compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

As of the publication date, no fixed version has been announced in the available references [1]. Users should avoid opening untrusted .vzt files and consider using alternative tools or sandboxing until a patch is released.

References
  1. TALOS-2023-1813 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • GTKWave/GTKWavellm-fuzzy
    Range: =3.3.115
  • GTKWave/GTKWavev5
    Range: 3.3.115

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.