Open Babel MOL2 Parser Out-of-Bounds Write Vulnerability (CVE-2022-43607) -DC-Jul2026-777

Listen to this Post

How CVE-2022-43607 Works

Open Babel is a widely used open-source C++ library and command-line toolkit for converting, processing, and analyzing chemical file formats. It is shipped with major Linux distributions and integrated into various scientific computing services, language bindings (Python, Ruby, Java, R, Perl, C, PHP), and downstream applications that parse chemistry data.
The vulnerability resides in the MOL2 file format parser, specifically within the attribute/value parsing path. MOL2 files contain molecule descriptions structured with key–value pairs for attributes such as atom properties, charge, and substructure information. When the parser reads a crafted MOL2 file, it copies an overly long attribute name or value into a fixed-size stack or heap buffer without proper length validation.
Because the destination buffer has a predetermined maximum size, supplying an attribute or value that exceeds this limit causes the parser to write past the buffer’s boundary. This out-of-bounds write overwrites adjacent memory regions, which may include critical control structures, function pointers, or other variables on the stack or heap.
An attacker can exploit this memory corruption to achieve arbitrary code execution by carefully crafting the overflow data to redirect program flow. The attack requires a victim to open the malicious MOL2 file using the `obabel` command-line tool, the `OBConversion` API, or any of the language bindings. The vulnerability is remotely triggerable if the victim’s application processes untrusted MOL2 input from an external source.
The flaw affects all Open Babel releases up to and including version 3.1.1. The fix was committed as `openbabel/openbabel@4110d59a` and released in version 3.2.0 on 2026-05-26. A minimized reproducer is checked in under `test/files/fuzz_regress/` and is exercised on every CI build under ASAN+UBSAN by the `fuzzregresstest` harness. The vulnerability was reported by Cisco TALOS.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Open Babel |

| Version | ≤ 3.1.1 |

| Vulnerability | Out-of-bounds write |

| Severity | Critical |

| Date | 2026-05-26 |

| Prediction | Patch already released |

What Undercode Say

Analytics from the upstream security tracker:

  • CVE-2022-43607 is tracked as an out-of-bounds write in the MOL2 attribute/value parser.
  • The fix commit `4110d59a` landed in Open Babel 3.2.0.
  • The vulnerability is reproducible with a malformed MOL2 file; a minimized test case exists under test/files/fuzz_regress/.
  • CI pipelines run the regression test under ASAN+UBSAN to prevent regressions.
  • Debian tracks this CVE and marks all releases up to 3.1.1 as vulnerable.

Reproducer command (using the provided test file):

Navigate to the Open Babel source directory
cd /path/to/openbabel
Build with AddressSanitizer and UndefinedBehaviorSanitizer
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" ..
make -j$(nproc)
Run the fuzz regression test that includes the CVE reproducer
ctest -R fuzzregresstest -V

Manual trigger (if you have a malicious MOL2 file):

obabel malicious.mol2 -O output.smi

Exploit

An attacker crafts a MOL2 file with an overlong attribute name or value, for example:

@<TRIPOS>ATOM
1 C1 0.000 0.000 0.000 C.3 1 UNK 0.000
@<TRIPOS>BOND
1 1 2 1
@<TRIPOS>SUBSTRUCTURE
1 UNK 1 ROOT
@<TRIPOS>ATTRIBUTE
1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1

When the parser reads this file, the overly long attribute name exceeds the fixed-size destination buffer, triggering an out-of-bounds write. By carefully controlling the overflow data, an attacker can overwrite a return address or function pointer to achieve arbitrary code execution.

Protection

  • Upgrade to Open Babel 3.2.0 or later, which contains the fix commit 4110d59a.
  • Apply the patch manually if upgrading is not immediately possible:
    git clone https://github.com/openbabel/openbabel.git
    cd openbabel
    git checkout 4110d59a
    
  • Use ASAN/UBSAN during development and testing to catch similar memory-safety issues early.
  • Validate input before parsing: reject MOL2 files with attribute names or values exceeding reasonable length limits.
  • Run untrusted files in a sandboxed or containerized environment to limit the impact of a successful exploit.

Impact

  • Arbitrary Code Execution: A successful exploit allows an attacker to execute arbitrary code with the privileges of the process parsing the malicious MOL2 file.
  • Remote Attack Vector: The vulnerability is remotely exploitable if the application processes untrusted MOL2 input from network sources.
  • Wide Exposure: Open Babel is embedded in numerous scientific computing services and language bindings (Python, Ruby, Java, R, Perl, C, PHP), increasing the attack surface.
  • Supply Chain Risk: Linux distributions and downstream projects that bundle vulnerable versions are affected until they update to 3.2.0.
  • Integrity and Confidentiality: Memory corruption can lead to data leakage, denial of service, or full system compromise depending on the exploitation technique.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top