Open Babel MOPAC Parser Out-of-Bounds Write Vulnerability (CVE-2022-46294)
A memory-safety vulnerability (CVE-2022-46294) in Open Babel's MOPAC input parser allows an out-of-bounds write into the `translationVectors[]` array when reading more than three Tv atoms from a crafted MOPAC input file, which can lead to application crash or arbitrary code execution upon victim processing the file.
Open Babel, a C++ library and command-line tool for chemistry file format manipulation, is affected by CVE-2022-46294, a high-severity memory-safety vulnerability. Discovered and reported by Cisco TALOS, this flaw exists in the MOPAC IN reader component. Specifically, a crafted MOPAC input file containing more than three 'Tv' (translation-vector) atoms can lead to an out-of-bounds write in the translationVectors[] array. This vulnerability affects all Open Babel versions up to and including 3.1.1. Exploitation requires a victim to open such a malicious file using the obabel CLI tool, the OBConversion API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP). The library is widely adopted, shipped by various Linux distributions, and often embedded in services that process chemical data, making it a critical concern for defenders. The vulnerability was patched in version 3.2.0, released on 2026-05-26, with the fix available in commit 40e85213.
Attack Chain
- Attacker crafts a malicious MOPAC input file containing more than three 'Tv' (translation-vector) atoms specifically designed to trigger an out-of-bounds write vulnerability (CVE-2022-46294).
- Attacker delivers the malicious MOPAC file to a target system or user, potentially via email attachments, malicious websites, or untrusted file shares.
- A user or automated process on the target system opens or attempts to process the malicious MOPAC file using the
obabelcommand-line tool, theOBConversionAPI, or any of Open Babel's language bindings (e.g., Pythonpybel). - Open Babel's MOPAC IN reader component attempts to parse the malformed input file, specifically the section containing the 'Tv' atoms.
- During parsing, the reader attempts to store more translation vectors than the fixed-size
translationVectors[]array can hold, resulting in an out-of-bounds write operation past the allocated memory. - This out-of-bounds write corrupts adjacent memory, potentially leading to application crash, denial of service, or, under specific conditions, arbitrary code execution.
- If arbitrary code execution is successfully achieved, the attacker gains control over the compromised process running Open Babel, which can be leveraged for further system compromise, data exfiltration, or installation of additional malware.
Impact
The successful exploitation of CVE-2022-46294 can lead to memory corruption, causing the application using Open Babel to crash, resulting in a denial of service. In more severe scenarios, it could enable arbitrary code execution within the context of the affected application, allowing an attacker to compromise the system. Open Babel is a foundational library in chemistry and materials science, widely shipped by Linux distributions and integrated into various services for processing untrusted chemical data. Organizations that parse untrusted MOPAC files using vulnerable versions of Open Babel are at risk of system instability, data breaches, or complete system takeover if arbitrary code execution is achieved.
Recommendation
- Patch CVE-2022-46294 immediately by upgrading all affected installations of Open Babel to version 3.2.0 or higher.