Open Babel, Out-of-bounds Write, CVE-2022-46289 (Critical) -DC-Jul2026-776

Listen to this Post

The vulnerability resides in the ORCA file format parser of Open Babel, a C++ library and command‑line tool for converting and manipulating chemical file formats. ORCA is a quantum chemistry output format; when Open Babel reads an ORCA file, it parses a header line containing the string “Number of atoms” followed by an integer value (nAtoms) that declares how many atoms are present in the molecule. The parser then allocates a dynamic array (confCoords) of size `nAtoms 3` to store the x, y, z coordinates of each atom, and subsequently loops over the coordinate lines that follow.
The flaw lies in the absence of any validation on the `nAtoms` value read from the file. A malformed input can supply an arbitrarily large or negative `nAtoms` integer. If `nAtoms` is excessively large, the allocation `new double

` may succeed (or fail silently) but the subsequent loop that writes coordinates into `confCoords` does not check that the current atom index `i` remains below <code>nAtoms</code>. Consequently, when the file contains more coordinate lines than declared, the parser writes past the end of the allocated buffer, causing an out‑of‑bounds write. Conversely, if `nAtoms` is negative or zero, the allocation may be skipped or undersized, yet the loop still attempts to write coordinates, again leading to out‑of‑bounds memory corruption.
This memory‑safety issue can be triggered simply by opening a malicious ORCA file with the `obabel` command‑line tool, through the `OBConversion` API, or via any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). Successful exploitation can corrupt heap metadata, crash the application, or – under certain conditions – lead to arbitrary code execution. The vulnerability affects all Open Babel releases up to and including 3.1.1. The fix, committed as <code>openbabel/openbabel@b239d06e</code>, introduces proper bounds checking: it validates that `vs.size() > 4` before parsing <code>nAtoms</code>, clamps `nAtoms` to a safe range (0–10,000,000), initialises `confCoords` to <code>nullptr</code>, and ensures that every write to `confCoords` is guarded by <code>if (confCoords != nullptr && i < nAtoms)</code>. The patched version 3.2.0 was released on 2026‑05‑26, and a minimized reproducer is checked into the test suite and run under ASAN+UBSAN in continuous integration.

<h2 style="color: blue;">DailyCVE Form:</h2>

Platform: Open Babel
Version: <=3.1.1
Vulnerability: Out‑of‑bounds write
Severity: Critical
Date: 2026‑07‑01

<h2 style="color: blue;">Prediction: 2026‑05‑26</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Trigger the vulnerability using the obabel CLI
obabel -iorca malicious.orca -osmi
Run with AddressSanitizer to observe the out-of-bounds write
ASAN_OPTIONS=detect_leaks=0 obabel -iorca malicious.orca -osmi
Minimal reproducer location in the source tree
test/files/fuzz_regress/cve-2022-46289.orca
Build and run the regression test harness under ASAN+UBSAN
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined" ..
make
ctest -R fuzzregresstest

Exploit:

An attacker crafts an ORCA file with a header line “Number of atoms” set to a small value (e.g., 1) but includes many more coordinate lines. When Open Babel parses this file, the loop writing coordinates into `confCoords` continues beyond the allocated buffer, overwriting adjacent heap memory. This can be leveraged to corrupt function pointers or heap metadata, potentially achieving arbitrary code execution with the privileges of the process using Open Babel.

Protection:

  • Upgrade to Open Babel 3.2.0 or later, which contains the fix.
  • If upgrading is not immediately possible, avoid processing untrusted ORCA files with obabel, OBConversion, or any language bindings.
  • Run Open Babel in a sandboxed environment with restricted privileges when handling external input.
  • Use compiler sanitizers (ASAN, UBSAN) during development to detect such memory errors early.

Impact:

  • Confidentiality: An attacker may read sensitive memory contents through controlled out‑of‑bounds writes.
  • Integrity: Heap corruption can alter program state, leading to incorrect chemical data conversion or unexpected behaviour.
  • Availability: The vulnerability typically causes a crash (segmentation fault), resulting in denial of service.
  • Remote Code Execution: Under favourable conditions, the out‑of‑bounds write can be turned into arbitrary code execution, compromising the entire system. The CVSS base score is 9.8 (Critical) due to network exploitability, low attack complexity, and no required privileges or user interaction.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top