CVE-2023-39275

Vulnerability

An integer overflow vulnerability exists in the facgeometry parsing functionality of GTKWave version 3.3.115. Specifically, when allocating the value array in LXT2 file handling, an overflow can occur. The vulnerability is triggered by a specially crafted .lxt2 file and resides in the LXT2 parsing code within lxt2_read.c. This affects all components that parse LXT2 files, including the GUI, lxt2vcd, rtlbrowse, and lxt2miner utilities [1].

Exploitation

An attacker must craft a malicious .lxt2 file with manipulated facgeometry data that causes an integer overflow during array allocation. The victim must open the file using any GTKWave tool or interface. Because GTKWave registers MIME types for its supported extensions, simply double-clicking a received file is sufficient to trigger the code path. No authentication or elevated privileges are required beyond user interaction [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the user running GTKWave. This gives the attacker full control over confidentiality, integrity, and availability (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date (2024-01-08), no fixed version has been released. The only confirmed vulnerable version is GTKWave 3.3.115. Users should avoid opening untrusted .lxt2 files and monitor GTKWave updates for a patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].