Listen to this Post
How CVE-2025-10998 Works
Open Babel is a C++ library and command-line tool used extensively in computational chemistry and cheminformatics to read, write, and convert molecular file formats. The vulnerability resides in the ChemKin format parser, specifically within the `ChemKinFormat::ReadReactionQualifierLines` function found in /src/formats/chemkinformat.cpp.
ChemKin is a file format used to represent chemical reaction mechanisms. When parsing a ChemKin file, the `ReadReactionQualifierLines` function is responsible for interpreting reaction qualifier records, which are lines that modify or describe reaction behavior. A malformed or specially crafted reaction qualifier record can cause the parser to attempt to dereference a pointer that has not been properly initialized and remains NULL.
In C++, dereferencing a `NULL` pointer is an invalid memory operation that typically results in a segmentation fault, causing the application to crash. The crash occurs when the parser calls `std::string::c_str()` on a null or invalid string object. This is a classic memory-safety issue classified as CWE-476: NULL Pointer Dereference.
The vulnerability is triggered locally when a victim opens a malicious ChemKin file using the `obabel` tool, the `OBConversion` API, or any of Open Babel’s language bindings (Python, Ruby, Java, R, Perl, C, PHP). The attack requires local access and low privileges, with no user interaction needed beyond opening the file. The primary impact is a denial of service (application crash) with low availability impact. The exploit has been publicly disclosed.
The issue affects all Open Babel releases up to and including version 3.1.1. It was reported via OSS-Fuzz and fixed in version 3.2.0, released on 2026-05-26. The fix is consolidated in pull request 2913, with the specific patch commit being openbabel/openbabel@af4a4212. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is run on every CI build with AddressSanitizer (ASAN) and UndefinedBehaviorSanitizer (UBSAN).
DailyCVE Form
Platform: Open Babel
Version: ≤3.1.1
Vulnerability: NULL Pointer Dereference
Severity: Low (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Date: 2025-09-26
Prediction: 2026-05-26
What Undercode Say: Analytics
The following commands and code snippets can be used to analyze, reproduce, or understand the vulnerability.
Check Open Babel version:
obabel --version
Reproduce the crash (using the minimized reproducer):
The reproducer is located in the Open Babel source tree ./test/files/fuzz_regress/chemkin_null_deref.ck Run obabel on the malicious file obabel chemkin_null_deref.ck -O /dev/null
Run the fuzz regression test under ASAN+UBSAN:
Build Open Babel with sanitizers mkdir build && cd build cmake -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" .. make Run the fuzz regression test harness ./test/fuzzregresstest
Verify the patch (commit `af4a4212`):
git clone https://github.com/openbabel/openbabel.git cd openbabel git show af4a4212
Check if the system is vulnerable (Debian/Ubuntu):
dpkg -l | grep openbabel Or apt-cache policy openbabel
Exploit
The exploit requires local access and is triggered by providing a specially crafted ChemKin input file to the Open Babel parser. The technical details and a proof-of-concept exploit are publicly available. The vulnerability is easy to exploit and can lead to a denial of service (segmentation fault).
A minimal proof-of-concept involves creating a ChemKin file with a malformed reaction qualifier record that causes the `std::string::c_str()` call on a null string object. The exact structure of the malformed record is documented in the minimized reproducer checked into the Open Babel source tree (test/files/fuzz_regress/).
Protection
- Upgrade Open Babel to version 3.2.0 or later, which contains the fix.
- If upgrading is not immediately possible, avoid opening untrusted ChemKin files with Open Babel.
- As a workaround, consider using an alternative chemistry file format parser for untrusted input.
- For Linux distributions, monitor for updated packages. As of the publication date, Debian (bullseye, bookworm, trixie) and Ubuntu (plucky, noble, jammy, focal, bionic, xenial) have not yet released fixed packages.
Impact
- Denial of Service (DoS): The vulnerability causes the application to crash due to a segmentation fault, interrupting any workflows or services that rely on Open Babel.
- Availability: The impact is limited to availability, with no confidentiality or integrity loss.
- Attack Vector: The attack is local, requiring the attacker to have local access and low privileges.
- User Interaction: The victim must open a malicious ChemKin file using the `obabel` tool, the `OBConversion` API, or any of the language bindings.
- Affected Deployments: Open Babel is shipped by Linux distributions and embedded in various services that parse chemistry file formats, making this vulnerability relevant in scientific computing environments, cheminformatics pipelines, and web services that process user-uploaded molecular data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

