CVE-2023-37578 – CVE-2023-37578 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-37578?

CVE-2023-37578 has a CVSS score of 7.8 (HIGH). CVE-2023-37578 is a use-after-free vulnerability in GTKWave's VCD file parser that allows arbitrary code execution when a malicious .vcd file is opened. Users who open untrusted .vcd files with GTKWave or its vcd2lxt conversion utility are affected. The vulnerability specifically targets the get_vartoken realloc functionality.

📋 TL;DR

CVE-2023-37578 is a use-after-free vulnerability in GTKWave's VCD file parser that allows arbitrary code execution when a malicious .vcd file is opened. Users who open untrusted .vcd files with GTKWave or its vcd2lxt conversion utility are affected. The vulnerability specifically targets the get_vartoken realloc functionality.

💻 Affected Systems

Products:

GTKWave

Versions: Version 3.3.115 and possibly earlier versions

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is triggered through the vcd2lxt conversion utility and when opening .vcd files directly in GTKWave.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, potentially compromising sensitive data.

🟢

If Mitigated

Denial of service or application crash if exploit fails, with limited impact due to sandboxing or privilege restrictions.

🌐 Internet-Facing: LOW - GTKWave is typically not exposed to the internet; exploitation requires user interaction with malicious files.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting a malicious .vcd file and convincing a user to open it. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115 (check GTKWave updates)

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check for updated GTKWave package from your distribution's repository. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade gtkwave. 3. For source installations: Download latest version from official GTKWave website and recompile.

🔧 Temporary Workarounds

Restrict .vcd file handling

all

Configure system to open .vcd files with alternative, unaffected software or disable automatic opening.

User awareness training

all

Train users not to open .vcd files from untrusted sources.

🧯 If You Can't Patch

Restrict GTKWave and vcd2lxt execution to trusted users only
Implement application whitelisting to prevent unauthorized GTKWave execution

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: gtkwave --version or vcd2lxt --version. If version is 3.3.115 or earlier, system is vulnerable.

Check Version:

gtkwave --version 2>&1 | head -1

Verify Fix Applied:

After update, verify version is newer than 3.3.115 using the same version check command.

📡 Detection & Monitoring

Log Indicators:

Unexpected GTKWave or vcd2lxt process crashes
Unusual file access patterns to .vcd files

Network Indicators:

Download of .vcd files from untrusted sources

SIEM Query:

Process creation where (process_name contains 'gtkwave' OR process_name contains 'vcd2lxt') AND command_line contains '.vcd'

📊 Metadata

CVE ID: CVE-2023-37578

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 8, 2024

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1806 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1806 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1806

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37578, you might also want to check these: