CVE-2023-35960

Name of the Vulnerable Software and Affected Versions GTKWave version 3.3.115

Description Multiple OS command injection vulnerabilities exist in the decompression functionality of GTKWave. A specially crafted wave file can lead to arbitrary command execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability concerns legacy decompression in vcd main.

Recommendations For GTKWave version 3.3.115, consider disabling the legacy decompression functionality in vcd main as a temporary workaround until a patch is available. Avoid opening malicious wave files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.