Login Sign Up

CVE-2023-35962

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-35962 allows arbitrary command execution through OS command injection in GTKWave's vcd2vzt utility when processing specially crafted wave files. Attackers can achieve remote code execution by tricking users into opening malicious files. This affects anyone using GTKWave 3.3.115 to analyze electronic design automation waveforms.

💻 Affected Systems

Products:
  • GTKWave
Versions: 3.3.115
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability specifically in the vcd2vzt decompression utility component of GTKWave.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to lateral movement, data exfiltration, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or execution of arbitrary commands in the context of the user opening the malicious file, potentially compromising sensitive engineering data.

🟢

If Mitigated

Limited impact if running with minimal privileges, in isolated environments, or with proper file validation controls.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Engineering teams sharing waveform files internally could inadvertently trigger exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to open malicious file. Proof of concept details available in Talos Intelligence reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check current GTKWave version. 2. Update to latest version from official repository. 3. Verify vcd2vzt utility is updated. 4. Test with known safe waveform files.

🔧 Temporary Workarounds

Disable vcd2vzt utility

linux

Remove or restrict execute permissions on the vulnerable vcd2vzt binary

sudo chmod -x /usr/bin/vcd2vzt
sudo mv /usr/bin/vcd2vzt /usr/bin/vcd2vzt.disabled

Restrict file sources

all

Only open waveform files from trusted sources and validate file integrity

🧯 If You Can't Patch

  • Run GTKWave with minimal user privileges (non-admin/non-root)
  • Use application sandboxing or containerization to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check if GTKWave version is 3.3.115: gtkwave --version

Check Version:

gtkwave --version | head -1

Verify Fix Applied:

Confirm version is newer than 3.3.115 and test with sample waveform files

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from GTKWave context
  • Suspicious command-line arguments to vcd2vzt

Network Indicators:

  • Unexpected outbound connections from GTKWave process

SIEM Query:

process_name:vcd2vzt AND (command_line:*sh* OR command_line:*bash* OR command_line:*cmd*)

📊 Metadata

CVE ID: CVE-2023-35962
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35962, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)