Listen to this Post
How CVE-2022-44451 Works
The vulnerability resides in the MSI (Molecular Simulation Inc.) format parser of Open Babel, a widely used open-source chemistry file format conversion library and command-line tool. The flaw is rooted in the atom handling routine of the MSI reader. When processing a malformed MSI record, the parser attempts to dereference an atom pointer that was never properly initialized.
In C++, using an uninitialized pointer leads to undefined behavior—the pointer contains a garbage memory address. Dereferencing it reads or writes to an unpredictable memory location. An attacker can craft a malicious MSI file with a specially malformed record that triggers this uninitialized dereference. The parser, expecting a valid atom object, blindly follows the pointer and operates on the corrupted or attacker-controlled memory contents.
This memory corruption can be leveraged to achieve arbitrary code execution. The attacker does not need any special privileges; they only need to convince a victim to open the malicious MSI file using the `obabel` command-line tool, the `OBConversion` programming API, or any of the language bindings (Python, Ruby, Java, R, Perl, C, PHP). Because Open Babel is embedded in various services that parse untrusted chemical file inputs, this vulnerability poses a significant supply-chain risk.
The vulnerable code exists in all Open Babel releases up to and including version 3.1.1. The fix was committed in version 3.2.0, released on 2026-05-26. The patch is available in the official repository at openbabel/openbabel@fa9a2d9a. A minimized reproducer is checked into the test suite under `test/files/fuzz_regress/` and is continuously exercised under AddressSanitizer (ASAN) and UndefinedBehaviorSanitizer (UBSAN) via the `fuzzregresstest` harness. The vulnerability was reported by Cisco TALOS.
DailyCVE Form:
Platform: Open Babel
Version: ≤ 3.1.1
Vulnerability: Uninitialized pointer dereference
Severity: Critical (CVSS 9.8)
date: 2026-07-01
Prediction: Patch already available
What Undercode Say:
Check installed Open Babel version obabel --version Download the vulnerable package (for testing only) wget https://github.com/openbabel/openbabel/archive/refs/tags/openbabel-3-1-1.tar.gz tar -xzf openbabel-3-1-1.tar.gz cd openbabel-openbabel-3-1-1 Build with AddressSanitizer to detect the uninitialized pointer dereference mkdir build && cd build cmake -DCMAKE_CXX_FLAGS="-fsanitize=address -g" .. make -j$(nproc) Run the fuzz regression test that includes the CVE reproducer ctest -R fuzzregresstest -V
Minimal reproducer file (malformed MSI) can be found at: test/files/fuzz_regress/ in the Open Babel source tree Example command to trigger the vulnerability (if vulnerable): obabel malicious.msi -o smi
Exploit:
A remote attacker can supply a specially crafted MSI file to a victim or service using Open Babel. No authentication or user interaction beyond opening the file is required. The uninitialized pointer dereference allows the attacker to read or write arbitrary memory locations, potentially leading to full system compromise. The attack vector is network-based, with low complexity and no privileges required.
Protection:
- Upgrade to Open Babel version 3.2.0 or later, which contains the fix.
- Apply the patch from commit `openbabel/openbabel@fa9a2d9a` if upgrading is not immediately possible.
- Avoid opening untrusted MSI files with any Open Babel-based tool or service.
- Use input sanitization or run Open Babel in a sandboxed/containerized environment when processing files from untrusted sources.
Impact:
Successful exploitation allows arbitrary code execution with the privileges of the process using Open Babel. Given the CVSS score of 9.8 (Critical), the impact is severe: full loss of confidentiality, integrity, and availability. This affects Linux distributions, scientific computing environments, and any service that uses Open Babel to parse chemical file formats.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

