Open Babel, NULL Pointer Dereference, CVE-2025-10999 (Low) -DC-Jul2026-770

Listen to this Post

How CVE-2025-10999 Works

Open Babel is a widely-used open-source C++ library and command-line tool for interconverting between various chemical file formats. It is included in major Linux distributions and is often embedded in larger services that parse chemical data.
The vulnerability, CVE-2025-10999, is a NULL pointer dereference found in the CACAO file format parser. The flaw exists within the `CacaoFormat::SetHilderbrandt` function, located in the source file /src/formats/cacaoformat.cpp. This function is responsible for applying the Hilderbrandt transformation during the parsing of a CACAO file.
The root cause is improper input validation. When the parser processes a specially crafted, malicious CACAO file, it fails to correctly handle certain malformed data structures. This leads to a situation where a pointer that is expected to point to a valid memory location is instead set to NULL. Subsequently, the `SetHilderbrandt` function attempts to dereference this NULL pointer. This operation is invalid and results in a crash of the application, effectively a denial-of-service (DoS).
The attack vector is local, meaning an attacker must have local access to the system to exploit this vulnerability. The exploit can be triggered by convincing a victim to open a malicious CACAO file using the `obabel` tool, the `OBConversion` API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). The vulnerability affects all Open Babel releases up to and including version 3.1.1. The issue was originally reported via OSS-Fuzz and subsequently patched in version 3.2.0, released on 2026-05-26. The fix is consolidated in commit openbabel/openbabel@ecaed96f.

DailyCVE Form:

Platform: Open Babel
Version: ≤ 3.1.1
Vulnerability: NULL Pointer Dereference
Severity: Low
date: 2025-09-26

Prediction: 2026-05-26

What Undercode Say:

The vulnerability is triggered in the `CacaoFormat::SetHilderbrandt` function. A minimal reproducer for this CVE is checked in under `test/files/fuzz_regress/` and is exercised on every CI build under ASAN+UBSAN by the `fuzzregresstest` harness.
While a specific exploit script is not provided, the following commands demonstrate how an attacker could trigger the vulnerability by processing a malicious file.

Create a malformed CACAO file (example)
echo "malformed cacao data" > exploit.cacao
Trigger the NULL pointer dereference using the obabel tool
obabel exploit.cacao -O output.mol
Alternatively, using the OBConversion API in a script (Python example)
python3 -c "from openbabel import openbabel; conv = openbabel.OBConversion(); conv.ReadFile(openbabel.OBMol(), 'exploit.cacao')"

The core issue lies in the lack of a NULL check before dereferencing a pointer in CacaoFormat::SetHilderbrandt. A pseudo-code representation of the vulnerable code path is:

// Simplified vulnerable code in CacaoFormat::SetHilderbrandt
void CacaoFormat::SetHilderbrandt(OBMol mol) {
// ... some logic ...
OBAtom atom = some_function(); // This could return NULL
int valence = atom->GetValence(); // NULL pointer dereference if atom is NULL
// ... rest of the function ...
}

Exploit:

The exploit for CVE-2025-10999 requires local access to the system. An attacker can craft a malicious CACAO file designed to trigger the NULL pointer dereference in the `CacaoFormat::SetHilderbrandt` function. The attack is executed by luring a victim into opening this file with the `obabel` command-line tool, or through any application that uses the Open Babel library’s `OBConversion` API or its language bindings to parse CACAO files.
Successful exploitation leads to a crash of the Open Babel process, resulting in a denial of service. While the vulnerability is not known to allow for arbitrary code execution, it can be used to disrupt services that rely on Open Babel for automated chemical data processing.

Protection:

The primary and most effective protection against CVE-2025-10999 is to update Open Babel to version 3.2.0 or later. This version contains the official patch that fixes the NULL pointer dereference in the CACAO parser.
If an immediate update is not possible, consider the following mitigations:
1. Input Validation: Avoid processing untrusted CACAO files from unknown or unverified sources.
2. Access Control: Restrict local access to systems running Open Babel to trusted users only.
3. Monitoring: Monitor systems for unexpected crashes or anomalous behavior in applications that use Open Babel for file conversion.
For developers and maintainers, the fix is available in the commit openbabel/openbabel@ecaed96f.

Impact

The impact of this vulnerability is considered Low due to the requirement of local access for exploitation. However, it can lead to a denial of service (DoS) by crashing the application or the service that relies on Open Babel. This can disrupt critical workflows in chemical research, computational chemistry, and related fields that depend on Open Babel for automated data conversion and processing.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top