CVE-2023-39273

Vulnerability

An integer overflow vulnerability exists in the LXT2 facgeometry parsing functionality of GTKWave 3.3.115 [1]. The bug occurs when allocating the flags array during parsing of a specially crafted .lxt2 file. The vulnerable code resides in the lxt2_rd_init function within lxt2_read.c, which is used by the GTKWave GUI, lxt2vcd, rtlbrowse, and lxt2miner [1]. No special configuration is required; simply opening a malicious file triggers the overflow.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .lxt2 file that triggers the integer overflow when the flags array is allocated [1]. The victim must be convinced to open the file, for example by double-clicking on an email attachment, as GTKWave registers mime types for its supported extensions [1]. No authentication or network access is required; the attack is local and requires user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the GTKWave process [1]. This can result in full compromise of confidentiality, integrity, and availability of the victim's system, potentially allowing the attacker to execute arbitrary commands, read sensitive data, or install malware [1]. The privilege level achieved is that of the user running GTKWave.

Mitigation

As of the advisory publication date (2024-01-08), no official fix has been released for GTKWave 3.3.115 [1]. Users should avoid opening untrusted .lxt2 files from unknown sources. If a newer version of GTKWave becomes available, updating is recommended. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.