Open Babel, Out-of-bounds Write, CVE-2022-43467 (Critical) -DC-Jul2026-771

Listen to this Post

The PQS (Protein Quaternary Structure) file format parser in Open Babel contains a memory‑safety vulnerability that manifests as an out‑of‑bounds write when processing a maliciously crafted input file. The flaw resides specifically in the `coord_file` parsing path of the PQS reader. When the parser encounters a malformed `coord_file` specifier – a directive that normally supplies atomic coordinate data – it fails to properly validate the length or content of the incoming string before copying it into a fixed‑size destination buffer. Because the parser trusts the file‑supplied size indicators without adequate bounds checking, an attacker can craft a `coord_file` entry that exceeds the buffer’s capacity, causing the write operation to spill past the allocated memory region.
This out‑of‑bounds write corrupts adjacent heap metadata or program state, which can be leveraged to achieve arbitrary code execution. The vulnerability is triggered simply by opening a malicious `.pqs` file with any of Open Babel’s interfaces: the command‑line tool obabel, the `OBConversion` C++ API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). Since Open Babel is widely used in computational chemistry pipelines and is embedded in services that may accept user‑supplied files, this flaw represents a significant supply‑chain risk.
The issue affects all Open Babel releases up to and including version 3.1.1, as well as the master branch prior to the fix. The patch, committed as openbabel/openbabel@2a7d2cda, corrects the parsing logic by adding proper length validation and bounds checking before performing the copy operation. The fix is included in version 3.2.0, which was released on 2026‑05‑26. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is exercised on every CI build with AddressSanitizer and UndefinedBehaviorSanitizer to prevent regressions. The vulnerability was reported by Cisco TALOS and assigned CVE‑2022‑43467.

DailyCVE Form:
Platform: Open Babel
Version: 3.1.1 and earlier
Vulnerability: Out‑of‑bounds write
Severity: Critical
date: 2023‑07‑21
Prediction: 2026‑05‑26

What Undercode Say:

Analytics

The following commands and code snippets illustrate the vulnerable code path, the reproducer, and the verification of the fix.

Trigger the vulnerability using the obabel command-line tool
obabel -ipqs malicious.pqs -osmi 2>&1 | head -20
Run the regression test suite with sanitizers enabled
cd openbabel
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" ..
make
ctest -R fuzzregresstest -VV
Extract the minimized reproducer from the test suite
cat test/files/fuzz_regress/cve-2022-43467.pqs
Verify that the fix is applied (commit hash)
git log --oneline | grep 2a7d2cda

The vulnerable code in the PQS reader (before the patch) performed an unsafe copy:

// src/formats/pqsformat.cpp (simplified)
void PQSFormat::ReadCoordFile(const std::string& coord_spec) {
char buffer[bash];
// No length check – out‑of‑bounds write if coord_spec.length() > 255
strcpy(buffer, coord_spec.c_str());
// ...
}

After the patch, the copy is guarded:

// Patched version
void PQSFormat::ReadCoordFile(const std::string& coord_spec) {
char buffer[bash];
if (coord_spec.length() >= sizeof(buffer)) {
throw OBError("coord_file specifier too long");
}
strcpy(buffer, coord_spec.c_str());
// ...
}

Exploit:

An attacker can supply a `.pqs` file containing an overly long `coord_file` directive. When parsed, the oversized string overwrites adjacent heap memory – typically a function pointer or a saved return address – allowing the attacker to redirect control flow and execute arbitrary shellcode. The exploit requires no special privileges and can be delivered via email, web upload, or any channel where a user or automated service processes untrusted PQS files.

Protection:

  • Upgrade to Open Babel 3.2.0 or later, which includes the fix commit 2a7d2cda.
  • If immediate upgrade is not possible, apply the patch manually from the official repository.
  • For downstream distributors, backport the fix to your stable release.
  • As a workaround, sanitize or validate all PQS input files before processing, or disable the PQS format parser if it is not required.

Impact:

  • CVSS 3.1 Base Score: 9.8 (Critical) per Talos; 7.8 (High) per NIST (local vector).
  • Confidentiality: High – an attacker can read sensitive memory contents.
  • Integrity: High – arbitrary code execution enables data modification.
  • Availability: High – the process can be crashed or hijacked.
  • Attack Vector: Network (Talos) / Local (NIST) – the file can be delivered remotely.
  • Attack Complexity: Low – no special knowledge beyond crafting a malformed PQS file.
  • Privileges Required: None – the victim only needs to open the file.
  • User Interaction: Required (Talos) / None (NIST) – the victim must open the malicious file.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top