Login Sign Up

CVE-2023-36864

7.8 HIGH
Remote Code Execution

📋 TL;DR

This integer overflow vulnerability in GTKWave's FST file parser allows arbitrary code execution when a user opens a specially crafted malicious .fst file. Attackers can exploit this to gain control of the victim's system. Anyone using GTKWave to open untrusted FST files is affected.

💻 Affected Systems

Products:
  • GTKWave
Versions: Version 3.3.115 and likely earlier versions
Operating Systems: Linux, Windows, macOS - any OS running GTKWave
Default Config Vulnerable: ⚠️ Yes
Notes: All installations are vulnerable when processing FST files. The vulnerability is in the core file parsing functionality.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, enabling data access and further system exploitation.

🟢

If Mitigated

No impact if users only open trusted FST files from verified sources or if the application is patched.

🌐 Internet-Facing: LOW - GTKWave is typically not exposed directly to the internet as a service.
🏢 Internal Only: MEDIUM - Risk exists when users open untrusted FST files from internal sources like email attachments or shared drives.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a malicious file). The vulnerability is well-documented with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with distribution maintainers - Debian has patched versions available

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Update GTKWave through your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade gtkwave. 3. For other systems, check with your distribution's security updates.

🔧 Temporary Workarounds

Restrict FST file handling

all

Configure system to open FST files only with trusted applications or in sandboxed environments

User awareness training

all

Train users to only open FST files from trusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unapproved GTKWave binaries
  • Use sandboxing solutions to run GTKWave in isolated environments when processing untrusted files

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: gtkwave --version. If version is 3.3.115 or earlier, assume vulnerable.

Check Version:

gtkwave --version

Verify Fix Applied:

Verify updated version: gtkwave --version should show a version after 3.3.115 or a patched distribution version.

📡 Detection & Monitoring

Log Indicators:

  • GTKWave crash logs with memory corruption errors
  • Unexpected process creation from GTKWave

Network Indicators:

  • Unusual outbound connections from GTKWave process

SIEM Query:

Process creation where parent process is gtkwave AND (command line contains .fst OR file extension is .fst)

📊 Metadata

CVE ID: CVE-2023-36864
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36864, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)