CVE-2023-38653

Vulnerability

In GTKWave 3.3.115, an integer overflow vulnerability exists in the VZT vzt_rd_block_vch_decode dict parsing functionality. When num_time_ticks is zero, the parsing logic can trigger an integer overflow, leading to memory corruption. The vulnerability affects the VZT file parsing code in vzt_read.c, used by vzt2vcd, vztminer, and the GTKWave GUI [1]. A specially crafted .vzt file can exploit this condition when opened by a victim.

Exploitation

An attacker must craft a malicious .vzt file that sets num_time_ticks to zero while satisfying other parsing conditions to trigger the integer overflow. The victim must open the file, either via double-click (GTKWave registers mime types for .vzt), through the GUI, or by using one of the command-line tools (vzt2vcd or vztminer). No authentication or special network access is required; the vector is local file opening [1].

Impact

Successful exploitation results in memory corruption. Depending on the memory layout and further exploitation, an attacker could achieve arbitrary code execution, data corruption, or denial of service. The CVSSv3 score is 7.0 (High) with impacts to confidentiality, integrity, and availability [1].

Mitigation

As of the advisory publication date (2024-01-08), no patched version of GTKWave is listed in the references. Users should avoid opening untrusted .vzt files from unknown sources. The vendor has not responded with a fix or workaround at the time of disclosure [1].