Login Sign Up

CVE-2023-35970

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2023-35970 is a heap-based buffer overflow vulnerability in GTKWave's FST file parser that allows arbitrary code execution when a user opens a malicious .fst file. This affects users of GTKWave 3.3.115 who process untrusted waveform data files. The vulnerability specifically targets the chain_table parsing in the FST_BL_VCDATA_DYN_ALIAS2 section.

💻 Affected Systems

Products:
  • GTKWave
Versions: 3.3.115
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of GTKWave 3.3.115 are vulnerable when processing .fst files. The vulnerability is in the core file parsing functionality.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to lateral movement, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, potentially compromising user data and system integrity.

🟢

If Mitigated

Limited impact if file execution is blocked or GTKWave runs in sandboxed/isolated environments with minimal privileges.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious file). Proof-of-concept details are available in the Talos Intelligence report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.118 or later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Download GTKWave 3.3.118 or later from the official repository. 2. Uninstall the vulnerable version. 3. Install the patched version following platform-specific installation procedures.

🔧 Temporary Workarounds

Restrict .fst file processing

all

Block or restrict processing of .fst files from untrusted sources

Run GTKWave with reduced privileges

all

Execute GTKWave with minimal user privileges or in sandboxed environments

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of GTKWave
  • Use file integrity monitoring to detect unauthorized .fst file modifications

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: Run 'gtkwave --version' and verify if version is 3.3.115

Check Version:

gtkwave --version

Verify Fix Applied:

After patching, run 'gtkwave --version' and confirm version is 3.3.118 or later

📡 Detection & Monitoring

Log Indicators:

  • GTKWave crash logs with memory access violations
  • Unexpected process termination of GTKWave

Network Indicators:

  • Download of .fst files from untrusted sources

SIEM Query:

Process:gtkwave AND (EventID:1000 OR EventID:1001) OR FileExtension:.fst AND SourceIP:External

📊 Metadata

CVE ID: CVE-2023-35970
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35970, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)