CVE-2023-35955

Name of the Vulnerable Software and Affected Versions GTKWave version 3.3.115

Description Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 VCDATA parsing functionality. A specially-crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This issue concerns the decompression function LZ4 decompress safe partial.

Recommendations For GTKWave version 3.3.115, consider avoiding the use of the LZ4 decompress safe partial function until a patch is available. As a temporary workaround, restrict the opening of .fst files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.