Listen to this Post
How CVE-2025-10996 Works
CVE-2025-10996 is a memory-safety vulnerability residing in the SMILES parser of the Open Babel chemistry toolkit. The flaw is triggered within the `OBSmilesParser::ParseSmiles` function, which is responsible for interpreting SMILES (Simplified Molecular-Input Line-Entry System) strings—a standard notation for describing chemical structures.
When the parser processes a specially crafted, malformed SMILES input, it fails to properly validate the length and boundaries of the data being written. This leads to a heap-based buffer overflow, where the parser writes data past the end of a heap-allocated memory buffer. The attack requires local access and low privileges, with a CVSS v3.1 base score of 5.3 (Medium severity).
The vulnerability affects all Open Babel releases up to and including version 3.1.1. It was discovered via Google’s OSS-Fuzz infrastructure and publicly disclosed. The fix was consolidated in pull request 2913 and committed as openbabel/openbabel@b34cd604, with the patched version 3.2.0 released on 2026-05-26. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is executed on every CI build under ASAN+UBSAN to prevent regressions.
DailyCVE Form:
Platform: Open Babel
Version: 3.1.1 and earlier
Vulnerability: Heap Buffer Overflow
Severity: Medium (CVSS 5.3)
Date: 2025-09-26
Prediction: 2026-05-26
What Undercode Say
Analytics & Bash Commands
Check installed Open Babel version obabel --version Verify if system is vulnerable (version <= 3.1.1) dpkg -l | grep openbabel Debian/Ubuntu rpm -qa | grep openbabel RHEL/Fedora Clone the repository and checkout vulnerable version for analysis git clone https://github.com/openbabel/openbabel.git cd openbabel git checkout tags/openbabel-3-1-1 Build with AddressSanitizer to reproduce the crash mkdir build && cd build cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" .. make -j$(nproc) Run the minimized reproducer (assuming it's in test/files/fuzz_regress/) ./bin/obabel -i smiles test/files/fuzz_regress/crash.smi -o can Example command Alternatively, use the fuzzregresstest harness ./bin/fuzzregresstest Check the fix commit git show b34cd604
Exploit
Triggering this vulnerability requires the victim to parse a malicious SMILES string using the `obabel` CLI tool, the `OBConversion` API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). SMILES strings are commonly passed on the command line and through scripted pipelines, making this primitive especially reachable.
A basic proof-of-concept using the CLI:
Craft a malicious SMILES string (example; actual payload is minimized in the test suite) echo "malicious_smiles_string" > exploit.smi Parse it with the vulnerable obabel obabel -i smiles exploit.smi -o can
The heap overflow can lead to memory corruption, potentially causing a denial of service (crash) or, in more severe cases, arbitrary code execution.
Protection
- Upgrade to Open Babel version 3.2.0 or later, which contains the fix commit
b34cd604. - Apply the patch manually if upgrading is not immediately possible: `git cherry-pick b34cd604` from the official repository.
- Sanitize untrusted SMILES input using a fuzzing harness (e.g., with ASAN/UBSAN) before processing in production.
- Monitor for any unexpected crashes or memory errors in applications that parse SMILES strings.
- Use the `fuzzregresstest` harness to validate that your build is not vulnerable to this specific regression.
Impact
- Confidentiality: Low — an attacker may be able to read sensitive memory contents.
- Integrity: Low — memory corruption could allow modification of data.
- Availability: Low — the vulnerability can cause a crash, leading to denial of service.
- Attack Vector: Local — the attacker must have local access to the system.
- Attack Complexity: Low — no special conditions are required beyond providing a crafted input.
- Privileges Required: Low — the attacker needs only low-level privileges.
- User Interaction: None — the attack can be triggered without user action.
Open Babel is widely used in computational chemistry, bioinformatics, and cheminformatics pipelines. Systems that parse untrusted SMILES strings—such as web services, data processing workflows, and research platforms—are at risk. The vulnerability is especially concerning because SMILES strings are often passed directly via command-line arguments or script inputs, making exploitation straightforward.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

