Listen to this Post
Technical Deep Dive
Open Babel is a C++ library and command‑line tool widely used in computational chemistry to convert, manipulate, and analyze chemical file formats. It is included in major Linux distributions and embedded in various scientific services that process untrusted molecular data. The vulnerability identified as CVE‑2026‑2705 resides in the MOL2 file format parser, specifically within the `OBAtom::SetFormalCharge` method.
The MOL2 format describes molecules using atom records that include fields such as atom name, coordinates, and formal charge. During parsing, the code extracts the formal charge value and attempts to assign it to an atom object by calling `OBAtom::SetFormalCharge` on a pointer that is assumed to be valid. However, a malformed or specially crafted MOL2 file can cause the parser to reach this method with a NULL atom pointer – for example, when an atom record references an index that does not exist or when the atom object was never properly instantiated.
When the parser calls `SetFormalCharge` on this NULL pointer, the C++ runtime attempts to access memory at address zero, triggering a NULL pointer dereference. In practice, this results in a segmentation fault (crash) of the calling process. Because the vulnerability is reachable through the public `OBConversion::ReadFile` / `WriteFile` API, the `obabel` CLI, and all language bindings (Python, Ruby, Java, R, Perl, C, PHP), any application that uses Open Babel to parse MOL2 files from untrusted sources is susceptible.
The issue affects all Open Babel releases up to and including 3.1.1. The project was informed via issue report 2862, and the fix was committed as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. The patched version 3.2.0 was released on 2026‑05‑26. A minimized reproducer is checked into the repository under `test/files/fuzz_regress/` and is continuously exercised under ASAN+UBSAN in the CI pipeline.
DailyCVE Form
| Field | Answer |
|–||
| Platform | Open Babel |
| Version | ≤ 3.1.1 |
| Vulnerability | NULL ptr deref |
| Severity | Medium |
| date | 2026-02-19 |
| Prediction | 2026-05-26 (3.2.0) |
What Undercode Say
Analytics & Bash Commands
Check your Open Babel version obabel --version Test with the official reproducer (if you have the source) cd /path/to/openbabel make test ./test/fuzzregresstest --gtest_filter=MOL2_NULL_DEREF Quick smoke test with a malformed MOL2 file (example) echo -e "@<TRIPOS>MOLECULE\ntest\n0 0 0 0 0\n@<TRIPOS>ATOM\n1 C 0.0 0.0 0.0 0.0 0" > crash.mol2 obabel crash.mol2 -O out.smi This will crash on vulnerable versions
Code Snippet (Vulnerable Call Path)
// include/openbabel/atom.h (simplified)
void OBAtom::SetFormalCharge(int charge) {
// ...
}
// MOL2 parser logic (pseudo-code)
OBAtom atom = GetAtomFromIndex(index); // may return nullptr
atom->SetFormalCharge(charge); // NULL dereference if atom == nullptr
CI Integration
The fix is validated in every build under AddressSanitizer and UndefinedBehaviorSanitizer, ensuring the crash is caught before any release.
Exploit
An attacker can craft a malicious MOL2 file that contains an atom record with a non‑existent atom index or otherwise triggers the parser to call `SetFormalCharge` on a NULL pointer. The attack requires the victim to open this file using any Open Babel interface – the `obabel` command, the `OBConversion` API, or any of the language bindings. The exploit is publicly known and can be used to cause a denial of service (application crash). Remote exploitation is possible if the victim’s service automatically processes uploaded MOL2 files.
Protection
- Upgrade to Open Babel 3.2.0 or later, which contains the fix.
- If upgrading is not immediately possible, backport the patch from commit
e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. - Validate all MOL2 input files before passing them to Open Babel – reject files with malformed atom records.
- Run Open Babel in a sandboxed environment or with resource limits to mitigate the impact of a crash.
- Monitor the Debian / Ubuntu security trackers for updated packages.
Impact
- Denial of Service – The NULL pointer dereference crashes the application, interrupting any workflow that relies on Open Babel for MOL2 parsing.
- Potential Information Disclosure – While the primary effect is a crash, out‑of‑bounds reads (as reported by some trackers) could in theory leak memory contents if the dereference is exploitable in a different context.
- Wide Attack Surface – Open Babel is embedded in numerous scientific services, Linux distributions, and language bindings, making this vulnerability reachable from many environments.
- No Code Execution – The flaw does not directly allow arbitrary code execution; it is limited to a crash (denial of service).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

