CVE-2023-35997 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2023-35997?

CVE-2023-35997 has a CVSS score of 7.8 (HIGH). This vulnerability allows arbitrary code execution when a user opens a specially crafted .fst file in GTKWave. Attackers can exploit improper array index validation in the tdelta functionality to execute malicious code on the victim's system. Anyone using GTKWave to open untrusted waveform files is affected.

📋 TL;DR

This vulnerability allows arbitrary code execution when a user opens a specially crafted .fst file in GTKWave. Attackers can exploit improper array index validation in the tdelta functionality to execute malicious code on the victim's system. Anyone using GTKWave to open untrusted waveform files is affected.

💻 Affected Systems

Products:

GTKWave

Versions: Version 3.3.115 and likely earlier versions

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when signal_lens is 2 or more in tdelta indexing.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine through arbitrary code execution.

🟠

Likely Case

Local privilege escalation or malware installation when a user opens a malicious .fst file.

🟢

If Mitigated

No impact if users only open trusted .fst files or have patched versions.

🌐 Internet-Facing: LOW - GTKWave is typically not an internet-facing service.

🏢 Internal Only: MEDIUM - Risk exists when users open untrusted files internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). No public exploit code found in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Debian security updates or upstream GTKWave repository

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Update GTKWave through your package manager. 2. For Debian systems: apt-get update && apt-get upgrade gtkwave. 3. Verify installation of patched version.

🔧 Temporary Workarounds

Restrict .fst file handling

all

Configure system to only open .fst files from trusted sources

Sandbox GTKWave execution

linux

Run GTKWave in a restricted environment

firejail gtkwave
bwrap --dev-bind / / --tmpfs /tmp gtkwave

🧯 If You Can't Patch

Only open .fst files from trusted, verified sources
Use GTKWave in isolated virtual machines or containers

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: gtkwave --version

Check Version:

gtkwave --version

Verify Fix Applied:

Verify version is newer than 3.3.115 or check with package manager

📡 Detection & Monitoring

Log Indicators:

GTKWave crashes with .fst files
Unexpected process execution from GTKWave

Network Indicators:

None - local file exploitation

SIEM Query:

Process:gtkwave AND (EventID:1000 OR EventID:1001) OR FileExtension:.fst

📊 Metadata

CVE ID: CVE-2023-35997

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: January 8, 2024

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1791

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35997, you might also want to check these: