CVE-2023-39234
Description
Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_process_block autosort functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the out-of-bounds write when looping over lt->numrealfacs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds write in GTKWave's VZT parsing allows arbitrary code execution via crafted .vzt file.
Vulnerability
A multiple out-of-bounds write vulnerability exists in the vzt_rd_process_block autosort functionality of GTKWave 3.3.115 [1]. The flaw occurs when looping over lt->numrealfacs without proper bounds checking, allowing an attacker to write past the allocated buffer [1].
Exploitation
An attacker must craft a malicious .vzt file and convince a victim to open it (e.g., via email attachment or web download) [1]. No special privileges or network access are required; the victim simply opens the file in GTKWave, triggering the out-of-bounds write.
Impact
Successful exploitation can lead to arbitrary code execution in the context of the victim's session [1]. This results in a full compromise of confidentiality, integrity, and availability (CVSSv3 7.8) [1].
Mitigation
No official fix has been released for GTKWave 3.3.115 [1]. Users should avoid opening .vzt files from untrusted sources until a patched version is available. The vulnerability is not known to be listed in CISA's KEV.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GTKWave/GTKWavev5Range: 3.3.115
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.