CVE-2023-35995 – CVE-2023-35995 is an improper array index valid... (How to Fix)

Q: What is the severity of CVE-2023-35995?

CVE-2023-35995 has a CVSS score of 7.8 (HIGH). CVE-2023-35995 is an improper array index validation vulnerability in GTKWave's fst file parser that allows arbitrary code execution when processing malicious .fst files. Users who open specially crafted .fst files with vulnerable GTKWave versions are affected. This vulnerability specifically occurs when signal_lens is 1 during tdelta indexing.

📋 TL;DR

CVE-2023-35995 is an improper array index validation vulnerability in GTKWave's fst file parser that allows arbitrary code execution when processing malicious .fst files. Users who open specially crafted .fst files with vulnerable GTKWave versions are affected. This vulnerability specifically occurs when signal_lens is 1 during tdelta indexing.

💻 Affected Systems

Products:

GTKWave

Versions: Version 3.3.115 and potentially earlier versions

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected GTKWave versions are vulnerable when processing .fst files. The vulnerability triggers specifically when signal_lens equals 1.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution with the privileges of the GTKWave process, potentially leading to malware installation, data theft, or lateral movement.

🟠

Likely Case

Local privilege escalation or remote code execution if GTKWave processes files from untrusted sources, particularly in automated workflows or shared environments.

🟢

If Mitigated

Limited impact with proper file handling controls, user education, and network segmentation preventing malicious file delivery.

🌐 Internet-Facing: LOW - GTKWave is typically not an internet-facing application; exploitation requires file delivery through other means.

🏢 Internal Only: MEDIUM - Risk exists in environments where users process .fst files from untrusted sources, particularly in engineering or research settings.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the victim to open a malicious .fst file. No authentication bypass is needed, but social engineering or automated file processing is required for delivery.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115 (check GTKWave releases for specific fixed version)

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check current GTKWave version. 2. Download and install the latest GTKWave version from official sources. 3. Verify the installation is successful and the vulnerability is patched.

🔧 Temporary Workarounds

Restrict .fst file processing

all

Limit GTKWave to only process .fst files from trusted sources and implement file validation controls.

Use application sandboxing

linux

Run GTKWave in a sandboxed or restricted environment to limit potential damage from exploitation.

firejail gtkwave (Linux)
sandbox-exec -f sandbox_profile gtkwave (macOS)

🧯 If You Can't Patch

Implement strict file handling policies to only open .fst files from trusted, verified sources.
Use alternative waveform viewers that are not vulnerable to this specific CVE for processing untrusted files.

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: 'gtkwave --version' or examine installed package version. If version is 3.3.115 or earlier, the system is vulnerable.

Check Version:

gtkwave --version

Verify Fix Applied:

Verify GTKWave version is updated beyond 3.3.115 using 'gtkwave --version' command.

📡 Detection & Monitoring

Log Indicators:

GTKWave crash logs with memory access violations
Unexpected process creation from GTKWave
Abnormal file access patterns from GTKWave process

Network Indicators:

Unusual outbound connections from systems running GTKWave
File downloads preceding GTKWave execution

SIEM Query:

Process:gtkwave AND (EventID:1000 OR EventID:1001) OR ProcessCreation:gtkwave AND ParentProcess:!explorer.exe

📊 Metadata

CVE ID: CVE-2023-35995

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: January 8, 2024

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1791

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35995, you might also want to check these: