Login Sign Up

CVE-2023-35704

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows arbitrary code execution when a user opens a malicious .fst file in GTKWave. Attackers can exploit stack-based buffer overflows in the FST LEB128 varint functionality to gain control of the victim's system. Anyone using GTKWave to open untrusted waveform files is affected.

💻 Affected Systems

Products:
  • GTKWave
Versions: Version 3.3.115 and likely earlier versions
Operating Systems: Linux, Windows, macOS - any OS running GTKWave
Default Config Vulnerable: ⚠️ Yes
Notes: All installations that process .fst files are vulnerable by default.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, enabling data access and further system exploitation.

🟢

If Mitigated

Limited impact if file opening is restricted to trusted sources and GTKWave runs with minimal privileges.

🌐 Internet-Facing: LOW - This requires user interaction to open a malicious file, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via phishing or shared drives.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires crafting a malicious .fst file and convincing a user to open it. The vulnerability is in file parsing code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115 (check GTKWave releases)

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Visit GTKWave official website or package repository. 2. Download and install the latest version. 3. Verify the version is newer than 3.3.115.

🔧 Temporary Workarounds

Restrict .fst file sources

all

Only open .fst files from trusted, verified sources. Implement file validation policies.

Run GTKWave with reduced privileges

linux

Execute GTKWave with limited user permissions to minimize impact if exploited.

sudo -u lowprivilegeuser gtkwave

🧯 If You Can't Patch

  • Discontinue use of GTKWave for untrusted .fst files
  • Implement application whitelisting to block GTKWave execution

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: 'gtkwave --version' or similar command. If version is 3.3.115 or earlier, it's vulnerable.

Check Version:

gtkwave --version

Verify Fix Applied:

After updating, run 'gtkwave --version' to confirm version is newer than 3.3.115.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from GTKWave
  • Crash logs from GTKWave with memory corruption errors

Network Indicators:

  • Outbound connections from GTKWave process (unusual for this application)

SIEM Query:

Process:gtkwave AND (EventID:1000 OR EventID:1001) OR Process:gtkwave AND NetworkConnection

📊 Metadata

CVE ID: CVE-2023-35704
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35704, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)