CVE-2023-39271

Vulnerability

Multiple integer overflow vulnerabilities exist in the LXT2 facgeometry parsing functionality of GTKWave version 3.3.115. Specifically, an integer overflow occurs when allocating the msb array during parsing of a specially crafted .lxt2 file. The LXT2 file format is parsed by functions in lxt2_read.c, which are used by the GUI and command-line tools such as lxt2vcd, rtlbrowse, and lxt2miner [1]. The vulnerability is reachable when the victim opens a malicious .lxt2 file.

Exploitation

An attacker must craft a malicious .lxt2 file that triggers the integer overflow during allocation. The victim needs to open the file using GTKWave (for example, by double-clicking the file, which invokes the GUI) or by using an affected command-line tool. No authentication or network access is required; the attack vector is local and user interaction is necessary [1]. The exploit sequence involves the lxt2_rd_init function parsing the file, leading to an undersized buffer allocation due to integer wraparound, which can then be used to corrupt memory.

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution in the context of the user running GTKWave. The CVSS v3.1 score is 7.8 (High), with impacts on confidentiality, integrity, and availability [1]. An attacker could execute code on the victim's machine, potentially leading to full system compromise depending on the user's privileges.

Mitigation

As of the Talos advisory TALOS-2023-1818 published in January 2024, version 3.3.115 is confirmed vulnerable. No patched version has been released by the vendor, and no workarounds are documented. Users should avoid opening untrusted .lxt2 files in GTKWave until a fix is available [1].