Open Babel, Heap Buffer Overflow, CVE-2025-10996 (Medium) -DC-Jun2026-764

Listen to this Post

How CVE-2025-10996 Works

CVE-2025-10996 is a memory-safety vulnerability residing in the SMILES parser of the Open Babel chemistry toolkit. The flaw is triggered within the `OBSmilesParser::ParseSmiles` function, which is responsible for interpreting SMILES (Simplified Molecular-Input Line-Entry System) strings—a standard notation for describing chemical structures.
When the parser processes a specially crafted, malformed SMILES input, it fails to properly validate the length and boundaries of the data being written. This leads to a heap-based buffer overflow, where the parser writes data past the end of a heap-allocated memory buffer. The attack requires local access and low privileges, with a CVSS v3.1 base score of 5.3 (Medium severity).
The vulnerability affects all Open Babel releases up to and including version 3.1.1. It was discovered via Google’s OSS-Fuzz infrastructure and publicly disclosed. The fix was consolidated in pull request 2913 and committed as openbabel/openbabel@b34cd604, with the patched version 3.2.0 released on 2026-05-26. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is executed on every CI build under ASAN+UBSAN to prevent regressions.

DailyCVE Form:

Platform: Open Babel
Version: 3.1.1 and earlier
Vulnerability: Heap Buffer Overflow
Severity: Medium (CVSS 5.3)
Date: 2025-09-26

Prediction: 2026-05-26

What Undercode Say

Analytics & Bash Commands

Check installed Open Babel version
obabel --version
Verify if system is vulnerable (version <= 3.1.1)
dpkg -l | grep openbabel Debian/Ubuntu
rpm -qa | grep openbabel RHEL/Fedora
Clone the repository and checkout vulnerable version for analysis
git clone https://github.com/openbabel/openbabel.git
cd openbabel
git checkout tags/openbabel-3-1-1
Build with AddressSanitizer to reproduce the crash
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" ..
make -j$(nproc)
Run the minimized reproducer (assuming it's in test/files/fuzz_regress/)
./bin/obabel -i smiles test/files/fuzz_regress/crash.smi -o can Example command
Alternatively, use the fuzzregresstest harness
./bin/fuzzregresstest
Check the fix commit
git show b34cd604

Exploit

Triggering this vulnerability requires the victim to parse a malicious SMILES string using the `obabel` CLI tool, the `OBConversion` API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). SMILES strings are commonly passed on the command line and through scripted pipelines, making this primitive especially reachable.

A basic proof-of-concept using the CLI:

Craft a malicious SMILES string (example; actual payload is minimized in the test suite)
echo "malicious_smiles_string" > exploit.smi
Parse it with the vulnerable obabel
obabel -i smiles exploit.smi -o can

The heap overflow can lead to memory corruption, potentially causing a denial of service (crash) or, in more severe cases, arbitrary code execution.

Protection

  • Upgrade to Open Babel version 3.2.0 or later, which contains the fix commit b34cd604.
  • Apply the patch manually if upgrading is not immediately possible: `git cherry-pick b34cd604` from the official repository.
  • Sanitize untrusted SMILES input using a fuzzing harness (e.g., with ASAN/UBSAN) before processing in production.
  • Monitor for any unexpected crashes or memory errors in applications that parse SMILES strings.
  • Use the `fuzzregresstest` harness to validate that your build is not vulnerable to this specific regression.

Impact

  • Confidentiality: Low — an attacker may be able to read sensitive memory contents.
  • Integrity: Low — memory corruption could allow modification of data.
  • Availability: Low — the vulnerability can cause a crash, leading to denial of service.
  • Attack Vector: Local — the attacker must have local access to the system.
  • Attack Complexity: Low — no special conditions are required beyond providing a crafted input.
  • Privileges Required: Low — the attacker needs only low-level privileges.
  • User Interaction: None — the attack can be triggered without user action.
    Open Babel is widely used in computational chemistry, bioinformatics, and cheminformatics pipelines. Systems that parse untrusted SMILES strings—such as web services, data processing workflows, and research platforms—are at risk. The vulnerability is especially concerning because SMILES strings are often passed directly via command-line arguments or script inputs, making exploitation straightforward.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top