Login Sign Up

CVE-2023-39272

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-39272 is an integer overflow vulnerability in GTKWave's LXT2 file parser that can lead to arbitrary code execution when a malicious .lxt2 file is opened. Users of GTKWave 3.3.115 who open untrusted waveform files are affected. The vulnerability occurs during memory allocation for the lsb array when parsing facgeometry data.

💻 Affected Systems

Products:
  • GTKWave
Versions: 3.3.115
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of GTKWave 3.3.115 are vulnerable when opening .lxt2 files. The vulnerability is in the core LXT2 parser functionality.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine through arbitrary code execution.

🟠

Likely Case

Local privilege escalation or remote code execution depending on how the malicious file is delivered and opened.

🟢

If Mitigated

Denial of service or application crash if exploit fails or is blocked by security controls.

🌐 Internet-Facing: LOW - GTKWave is typically not an internet-facing service, but malicious files could be delivered via web downloads.
🏢 Internal Only: MEDIUM - Users opening untrusted .lxt2 files from internal sources could be exploited.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. No public exploit code has been identified, but technical details are available in the Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.115

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html

Restart Required: No

Instructions:

1. Check current GTKWave version. 2. Update to latest version from official repository. 3. Verify the update was successful. 4. Remove any cached malicious .lxt2 files.

🔧 Temporary Workarounds

Disable LXT2 file opening

all

Prevent GTKWave from opening .lxt2 files by removing file association or using application controls.

Sandbox execution

all

Run GTKWave in a sandboxed environment to limit potential damage from exploitation.

🧯 If You Can't Patch

  • Restrict .lxt2 file opening to trusted sources only
  • Implement application whitelisting to prevent unauthorized GTKWave execution

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: 'gtkwave --version' should show 3.3.115 or earlier.

Check Version:

gtkwave --version

Verify Fix Applied:

After update, verify version is newer than 3.3.115 and test opening known safe .lxt2 files.

📡 Detection & Monitoring

Log Indicators:

  • GTKWave crashes when opening .lxt2 files
  • Unusual memory allocation patterns in process monitoring

Network Indicators:

  • Downloads of .lxt2 files from untrusted sources

SIEM Query:

process_name:"gtkwave" AND (event_type:"crash" OR file_extension:".lxt2")

📊 Metadata

CVE ID: CVE-2023-39272
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39272, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)