CVE-2023-38649

Vulnerability

GTKWave version 3.3.115 contains multiple out-of-bounds write vulnerabilities in the vzt_rd_get_facname decompression functionality of the VZT file parser, as reported in TALOS-2023-1813 [1]. The issue is an improper restriction of operations within the bounds of a memory buffer (CWE-119). A specially crafted .vzt file can trigger a string copy loop that writes beyond the allocated buffer. The parser is used by vzt2vcd, vztminer, and the GTKWave GUI, so all entry points are affected [1].

Exploitation

An attacker must craft a malicious .vzt file and convince a victim to open it, either by double-clicking the file (GTKWave registers mime types) or using the GUI or command-line tools [1]. The attacker requires no network position or authentication; user interaction is the only prerequisite. The out-of-bounds write occurs during decompression when the string copy loop in vzt_rd_get_facname does not properly check bounds against the allocated memory [1].

Impact

Successful exploitation leads to arbitrary code execution with the privileges of the victim user [1]. The attacker gains full compromise of confidentiality, integrity, and availability (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.8) [1].

Mitigation

As of the publication date (2024-01-08), the vendor (GTKWave) has not released a patched version; the confirmed vulnerable version is 3.3.115 [1]. Users should avoid opening untrusted .vzt files until an update is available. No workaround or fix has been disclosed in the available references [1].