CVE-2023-37576

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GTKWave version 3.3.115

Description The issue is related to multiple use-after-free vulnerabilities in the VCD get vartoken realloc functionality. These vulnerabilities can be triggered by a specially crafted .vcd file, potentially leading to arbitrary code execution when a victim opens a malicious file. The vulnerability also concerns the use-after-free issue when triggered via the vcd2vzt conversion utility.

Recommendations For GTKWave version 3.3.115, consider avoiding the use of the vcd2vzt conversion utility and refrain from opening untrusted .vcd files until a fix is available. As a temporary workaround, restrict access to the VCD get vartoken realloc functionality to minimize the risk of exploitation.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2023-37576

DLA-3785-1

DSA-5653-1

Affected Products

Gtkwave

CVE-2023-37576

Weakness Enumeration

Related Identifiers

Affected Products

References · 11