CVE-2023-35960 – This CVE describes OS command injection vulnera... (How to Fix)

Q: What is the severity of CVE-2023-35960?

CVE-2023-35960 has a CVSS score of 7.8 (HIGH). This CVE describes OS command injection vulnerabilities in GTKWave's decompression functionality. Attackers can execute arbitrary commands by tricking users into opening specially crafted wave files. Anyone using vulnerable versions of GTKWave to open untrusted files is affected.

📋 TL;DR

This CVE describes OS command injection vulnerabilities in GTKWave's decompression functionality. Attackers can execute arbitrary commands by tricking users into opening specially crafted wave files. Anyone using vulnerable versions of GTKWave to open untrusted files is affected.

💻 Affected Systems

Products:

GTKWave

Versions: 3.3.115 and earlier

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in legacy decompression functionality in vcd_main. All default installations are vulnerable.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, potentially leading to data exfiltration or malware installation.

🟢

If Mitigated

Limited impact if user runs with minimal privileges and file opening is restricted to trusted sources only.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening malicious file). No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check current GTKWave version. 2. Update to latest version from official repository. 3. Verify update completed successfully.

🔧 Temporary Workarounds

Disable legacy decompression

all

Disable or remove vulnerable decompression functionality if not needed

Restrict file opening

all

Only open wave files from trusted sources

🧯 If You Can't Patch

Run GTKWave with minimal user privileges (non-admin/non-root)
Use application whitelisting to prevent execution of unauthorized commands

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version - if 3.3.115 or earlier, system is vulnerable

Check Version:

gtkwave --version

Verify Fix Applied:

Verify GTKWave version is greater than 3.3.115

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from GTKWave process
Failed decompression attempts with suspicious parameters

Network Indicators:

Outbound connections from GTKWave process to unexpected destinations

SIEM Query:

process_name:gtkwave AND (command_injection_indicators OR suspicious_child_process)

📊 Metadata

CVE ID: CVE-2023-35960

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 8, 2024

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1786 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1786 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1786

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35960, you might also want to check these: