Listen to this Post
The MSI (Molecular Simulations Inc.) format reader inside Open Babel parses periodic cell translation vectors from an input file and stores them into a fixed‑size stack array named translationVectors[]. The array is declared with a capacity of three elements, as a crystal unit cell can have at most three translation vectors (a, b, c). However, the parsing code does not validate the number of vectors before writing them. A maliciously crafted MSI file can include more than three `A D 3` records (lattice‑vector lines), causing the reader to write past the end of the array. This out‑of‑bounds write corrupts adjacent stack memory, which an attacker can leverage to achieve arbitrary code execution. The vulnerability is one of five similar OOB writes in the `translationVectors[]` array that were reported by Cisco TALOS in the 2022 batch across multiple formats (Gaussian, MOPAC output, MOPAC input, and MSI). The MSI‑specific flaw is tracked as CVE‑2022‑46295. The affected code path is reachable through the `obabel` command‑line tool, the `OBConversion` C++ API, and all language bindings (Python, Ruby, Java, R, Perl, C, PHP) that expose the MSI parser. An attacker only needs to supply a specially crafted `.msi` file and convince a victim to open it. No user interaction beyond opening the file is required. The vulnerability has a CVSS base score of 9.8 (Critical) because it is network‑exploitable, requires no privileges, and can lead to full system compromise. The fix, committed as openbabel/openbabel@40e85213, adds a bounds check (numTranslationVectors < 3) before each write. The patched version 3.2.0 was released on 2026‑05‑26. A minimized reproducer is checked into the repository under `test/files/fuzz_regress/` and is automatically run under ASAN+UBSAN in CI to prevent regressions.
DailyCVE Form:
Platform: Open Babel
Version: ≤3.1.1
Vulnerability: OOB write (MSI)
Severity: Critical (9.8)
date: 2023‑07‑21
Prediction: 2026‑05‑26
What Undercode Say:
- Analytics – The flaw exists in the MSI parser’s handling of periodic‑cell translation vectors. The array `translationVectors
` is written without checking the count of vectors from the input.</li> <li>Bash commands – To reproduce the crash with ASAN: [bash] obabel cve-2022-46295.msi -O /dev/null
- Code snippet – The vulnerable write pattern (simplified):
double translationVectors[bash][3]; int num = 0; while (ReadVector(vec)) { translationVectors[bash][0] = vec.x; // OOB if num >= 3 translationVectors[bash][1] = vec.y; translationVectors[bash][2] = vec.z; num++; } - Fix commit – `openbabel/openbabel@40e85213` adds `if (numTranslationVectors < 3)` before each write.
Exploit:
An attacker crafts an MSI file with more than three `A D 3` records. When parsed, the extra vectors overwrite the stack frame of the MSI reader. By controlling the corrupted data, the attacker can redirect execution flow and execute arbitrary shellcode. The reproducer under `test/files/fuzz_regress/cve-2022-46295.msi` demonstrates the crash.
Protection:
- Upgrade to Open Babel 3.2.0 or later.
- If upgrading is not possible, avoid opening untrusted MSI files with any Open Babel interface.
- Use a security‑hardened build with ASAN and UBSAN to detect such overflows during testing.
Impact:
Successful exploitation leads to arbitrary code execution with the privileges of the process that opens the malicious MSI file. This can result in full system compromise, data theft, or lateral movement in enterprise environments where Open Babel is used in automated parsing pipelines.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

