Open Babel MOPAC Output Parser Out-of-Bounds Write (CVE-2022-46293) -DC-Jul2026-766

Listen to this Post

Intro

CVE-2022-46293 is a memory-safety vulnerability in the MOPAC output parser of Open Babel, a C++ library and command-line tool widely used for converting chemical file formats. The flaw resides in the `ReadMolecule` function inside src/formats/mopacformat.cpp. When the parser encounters a line containing the string "FINAL POINT AND DERIVATIVES", it enters a code block that reads translation vectors from the input file and stores them into a fixed‑size stack array named translationVectors[].
The array is dimensioned to hold a limited number of vectors, but the parser does not validate the count before writing. A malformed MOPAC output file can contain more translation vectors than the array has slots, triggering an out‑of‑bounds write past the end of the array. Each vector consists of three double-precision floating-point values (x, y, z), and the write occurs via the `Set(x, y, z)` method. Because the array resides on the stack, an attacker who controls the content of the malformed file can corrupt adjacent stack memory—including saved return addresses, frame pointers, and local variables—potentially leading to arbitrary code execution.
The vulnerability is one of five OOB write issues in the `translationVectors` parsing logic reported by Cisco TALOS as part of the 2022 batch, affecting multiple formats (MSI, MOPAC, MOPAC Cartesian, and Gaussian). Open Babel is shipped by all major Linux distributions and is embedded in various online chemical format converters and molecule viewers, making it potentially accessible over a network. An attacker can trigger the flaw by convincing a victim to open a malicious MOPAC output file using the `obabel` CLI tool, the `OBConversion` API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP).
The vulnerability was patched in Open Babel version 3.2.0, released on 2026‑05‑26, with the fix commit openbabel/openbabel@40e85213. A minimized reproducer is checked into `test/files/fuzz_regress/` and is exercised on every CI build under ASAN+UBSAN by the `fuzzregresstest` harness.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Open Babel |

| Version | ≤ 3.1.1 |

| Vulnerability | Out-of-bounds write |

| Severity | Critical (CVSS 9.8) |

| Date | 2023‑07‑21 |

| Prediction | Patch already released (3.2.0) |

What Undercode Say

Check installed Open Babel version
obabel --version
Download the vulnerable source (for analysis)
git clone https://github.com/openbabel/openbabel.git
cd openbabel
git checkout 3.1.1
Compile with AddressSanitizer for debugging
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" ..
make -j$(nproc)
Run the regression test that exercises the OOB write
cd ../test/files/fuzz_regress/
The reproducer file (e.g., mopac_final_point_oob.mop) is read by obabel
../../build/bin/obabel mopac_final_point_oob.mop -O /dev/null

Code snippet showing the vulnerable logic (from `mopacformat.cpp`):

else if (strstr(buffer, "FINAL POINT AND DERIVATIVES") != nullptr) {
// ...
while (ifs.getline(buffer, BUFF_SIZE)) {
// parse x, y, z from line
// ...
translationVectors[numTranslationVectors++].Set(x, y, z); // OOB write
// no bounds check on numTranslationVectors
}
}

Patch diff (simplified):

- translationVectors[numTranslationVectors++].Set(x, y, z);
+ if (numTranslationVectors < MAX_TRANSLATION_VECTORS) {
+ translationVectors[numTranslationVectors++].Set(x, y, z);
+ } else {
+ // handle error / break
+ }

Exploit

To exploit CVE-2022-46293, an attacker crafts a MOPAC output file that contains the `”FINAL POINT AND DERIVATIVES”` marker followed by more translation‑vector lines than the fixed‑size `translationVectors[]` array can hold. Each vector line supplies three floating‑point numbers (x, y, z) that the parser writes consecutively into the stack. By carefully choosing these values, the attacker can overwrite the saved return address on the stack, redirecting execution flow to attacker‑controlled shellcode or ROP chain when the function returns.
Because the vulnerability is triggered during the parsing of a single input file, and Open Babel is often used in automated conversion pipelines or web services, the attack surface is broad. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that no user interaction is required beyond supplying the malicious file, and the impact is complete compromise of confidentiality, integrity, and availability.

Protection

  • Upgrade to Open Babel 3.2.0 or later, which includes the fix commit openbabel/openbabel@40e85213.
  • Apply distribution updates: Debian, Ubuntu, and other Linux vendors have backported the patch; check your package manager for updated `openbabel` packages.
  • Input validation: If you cannot upgrade immediately, sanitize MOPAC input files by limiting the number of translation vectors before passing them to Open Babel, or use a wrapper that rejects files with excessive `FINAL POINT` entries.
  • Runtime defences: Compile Open Babel with stack canaries (-fstack-protector-strong) and ASLR enabled on the system to raise the bar for exploitation.
  • Sandboxing: Run `obabel` or any service that uses Open Babel in a restricted environment (e.g., container, seccomp, or firejail) to limit the impact of a potential code‑execution breach.

Impact

  • Arbitrary Code Execution: Successful exploitation allows an attacker to execute arbitrary code with the privileges of the process that opens the malicious MOPAC file.
  • Data Confidentiality & Integrity: The attacker can read sensitive data from memory, modify in‑memory data structures, and potentially write to files or network sockets.
  • Denial of Service: Even without code execution, the OOB write can corrupt the stack and cause the application to crash, leading to service disruption.
  • Wide Attack Surface: Open Babel is integrated into numerous chemistry toolchains, online converters, and scientific workflows. Any service that accepts user‑supplied chemical files in MOPAC format is vulnerable.
  • Supply Chain Risk: Because Open Babel is a dependency for many higher‑level applications, a single vulnerable version can propagate the flaw across multiple software stacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top