Login Sign Up

CVE-2023-39443

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows arbitrary code execution when a user opens a malicious .lxt2 file in GTKWave. Attackers can craft files that trigger out-of-bounds writes during LXT2 parsing, potentially leading to full system compromise. Anyone using GTKWave to analyze waveform files is affected.

💻 Affected Systems

Products:
  • GTKWave
Versions: 3.3.115 and earlier
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations that process .lxt2 files are vulnerable regardless of configuration.

📦 What is this software?

Gtkwave by Tonybybell

View all CVEs affecting Gtkwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, enabling data exfiltration or persistence mechanisms.

🟢

If Mitigated

Limited impact if file opening is restricted to trusted sources and GTKWave runs with minimal privileges.

🌐 Internet-Facing: LOW - GTKWave is typically not an internet-facing service; exploitation requires user interaction with malicious files.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but exploitation requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious file) but the vulnerability is straightforward to exploit once a malicious file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.116 or later

Vendor Advisory: https://sourceforge.net/p/gtkwave/bugs/43/

Restart Required: No

Instructions:

1. Download latest GTKWave from official source. 2. Uninstall old version. 3. Install new version. 4. Verify version is 3.3.116 or higher.

🔧 Temporary Workarounds

Disable LXT2 file processing

all

Prevent GTKWave from opening .lxt2 files by removing file association or using application controls.

Restrict file sources

all

Only open .lxt2 files from trusted, verified sources and implement file integrity checking.

🧯 If You Can't Patch

  • Run GTKWave with minimal user privileges to limit impact of exploitation
  • Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check GTKWave version: Run 'gtkwave --version' or check About dialog in GUI.

Check Version:

gtkwave --version

Verify Fix Applied:

Confirm version is 3.3.116 or higher using version check command.

📡 Detection & Monitoring

Log Indicators:

  • GTKWave crash logs with memory access violations
  • Unexpected child processes spawned from GTKWave

Network Indicators:

  • Unusual outbound connections from GTKWave process

SIEM Query:

Process creation where parent_process contains 'gtkwave' AND (process_name not in ['gtkwave', 'sh', 'bash'])

📊 Metadata

CVE ID: CVE-2023-39443
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: January 8, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39443, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)