Open Babel, NULL Pointer Dereference, CVE-2025-10998 (Low) -DC-Jul2026-775

Listen to this Post

How CVE-2025-10998 Works

Open Babel is a C++ library and command-line tool used extensively in computational chemistry and cheminformatics to read, write, and convert molecular file formats. The vulnerability resides in the ChemKin format parser, specifically within the `ChemKinFormat::ReadReactionQualifierLines` function found in /src/formats/chemkinformat.cpp.
ChemKin is a file format used to represent chemical reaction mechanisms. When parsing a ChemKin file, the `ReadReactionQualifierLines` function is responsible for interpreting reaction qualifier records, which are lines that modify or describe reaction behavior. A malformed or specially crafted reaction qualifier record can cause the parser to attempt to dereference a pointer that has not been properly initialized and remains NULL.
In C++, dereferencing a `NULL` pointer is an invalid memory operation that typically results in a segmentation fault, causing the application to crash. The crash occurs when the parser calls `std::string::c_str()` on a null or invalid string object. This is a classic memory-safety issue classified as CWE-476: NULL Pointer Dereference.
The vulnerability is triggered locally when a victim opens a malicious ChemKin file using the `obabel` tool, the `OBConversion` API, or any of Open Babel’s language bindings (Python, Ruby, Java, R, Perl, C, PHP). The attack requires local access and low privileges, with no user interaction needed beyond opening the file. The primary impact is a denial of service (application crash) with low availability impact. The exploit has been publicly disclosed.
The issue affects all Open Babel releases up to and including version 3.1.1. It was reported via OSS-Fuzz and fixed in version 3.2.0, released on 2026-05-26. The fix is consolidated in pull request 2913, with the specific patch commit being openbabel/openbabel@af4a4212. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is run on every CI build with AddressSanitizer (ASAN) and UndefinedBehaviorSanitizer (UBSAN).

DailyCVE Form

Platform: Open Babel
Version: ≤3.1.1
Vulnerability: NULL Pointer Dereference
Severity: Low (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Date: 2025-09-26

Prediction: 2026-05-26

What Undercode Say: Analytics

The following commands and code snippets can be used to analyze, reproduce, or understand the vulnerability.

Check Open Babel version:

obabel --version

Reproduce the crash (using the minimized reproducer):

The reproducer is located in the Open Babel source tree
./test/files/fuzz_regress/chemkin_null_deref.ck
Run obabel on the malicious file
obabel chemkin_null_deref.ck -O /dev/null

Run the fuzz regression test under ASAN+UBSAN:

Build Open Babel with sanitizers
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" ..
make
Run the fuzz regression test harness
./test/fuzzregresstest

Verify the patch (commit `af4a4212`):

git clone https://github.com/openbabel/openbabel.git
cd openbabel
git show af4a4212

Check if the system is vulnerable (Debian/Ubuntu):

dpkg -l | grep openbabel
Or
apt-cache policy openbabel

Exploit

The exploit requires local access and is triggered by providing a specially crafted ChemKin input file to the Open Babel parser. The technical details and a proof-of-concept exploit are publicly available. The vulnerability is easy to exploit and can lead to a denial of service (segmentation fault).
A minimal proof-of-concept involves creating a ChemKin file with a malformed reaction qualifier record that causes the `std::string::c_str()` call on a null string object. The exact structure of the malformed record is documented in the minimized reproducer checked into the Open Babel source tree (test/files/fuzz_regress/).

Protection

  • Upgrade Open Babel to version 3.2.0 or later, which contains the fix.
  • If upgrading is not immediately possible, avoid opening untrusted ChemKin files with Open Babel.
  • As a workaround, consider using an alternative chemistry file format parser for untrusted input.
  • For Linux distributions, monitor for updated packages. As of the publication date, Debian (bullseye, bookworm, trixie) and Ubuntu (plucky, noble, jammy, focal, bionic, xenial) have not yet released fixed packages.

Impact

  • Denial of Service (DoS): The vulnerability causes the application to crash due to a segmentation fault, interrupting any workflows or services that rely on Open Babel.
  • Availability: The impact is limited to availability, with no confidentiality or integrity loss.
  • Attack Vector: The attack is local, requiring the attacker to have local access and low privileges.
  • User Interaction: The victim must open a malicious ChemKin file using the `obabel` tool, the `OBConversion` API, or any of the language bindings.
  • Affected Deployments: Open Babel is shipped by Linux distributions and embedded in various services that parse chemistry file formats, making this vulnerability relevant in scientific computing environments, cheminformatics pipelines, and web services that process user-uploaded molecular data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top