CVE-2023-38649

Name of the Vulnerable Software and Affected Versions GTKWave version 3.3.115

Description Multiple out-of-bounds write vulnerabilities exist in the VZT vzt rd get facname decompression functionality. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This issue concerns the out-of-bounds write performed by the string copy loop.

Recommendations For GTKWave version 3.3.115, as a temporary workaround, consider disabling the decompression functionality of VZT vzt rd get facname until a patch is available. Avoid opening malicious .vzt files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.