<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pip/Openbabel (&lt; 3.2.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pip/openbabel--3.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:01:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pip/openbabel--3.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Open Babel Heap Buffer Overflow in ChemKin Parser (CVE-2025-10997)</title><link>https://feed.craftedsignal.io/briefs/2026-07-open-babel-heap-overflow/</link><pubDate>Fri, 03 Jul 2026 13:01:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-open-babel-heap-overflow/</guid><description>A heap buffer overflow vulnerability (CVE-2025-10997) in Open Babel's ChemKin parser allows an attacker to achieve memory corruption when a victim processes a specially crafted ChemKin file, potentially leading to denial of service or arbitrary code execution.</description><content:encoded><![CDATA[<p>A memory-safety vulnerability, identified as CVE-2025-10997, has been discovered in Open Babel, a widely used C++ library and command-line tool for chemistry file format conversion. This flaw, reported via OSS-Fuzz, specifically exists within the <code>ChemKinFormat::CheckSpecies</code> function of the ChemKin parser. Attackers can exploit this vulnerability by crafting a malicious ChemKin file that, when processed by a victim using Open Babel components (such as the <code>obabel</code> tool, the <code>OBConversion</code> API, or its language bindings), causes a heap buffer overflow. This leads to memory corruption, potentially resulting in application crashes (Denial of Service) or, under certain conditions, arbitrary code execution. All Open Babel releases up to and including version 3.1.1 are affected; the vulnerability was patched in version 3.2.0, released on 2026-05-26.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious ChemKin file specifically designed to contain malformed species records, triggering the heap buffer overflow in <code>ChemKinFormat::CheckSpecies</code>.</li>
<li>The malicious ChemKin file is delivered to the victim, typically via social engineering (e.g., email attachment), malicious download link, or embedding within a seemingly legitimate data set.</li>
<li>The victim interacts with the malicious file, causing it to be processed by an Open Babel component, such as the <code>obabel</code> command-line tool, the <code>OBConversion</code> API, or one of its language bindings (Python, Ruby, Java, etc.).</li>
<li>Open Babel's internal parser, specifically within the <code>ChemKinFormat::CheckSpecies</code> function, attempts to process the malformed species record from the crafted file.</li>
<li>Due to the malformed data, the <code>ChemKinFormat::CheckSpecies</code> function attempts to write data beyond the allocated bounds of a heap-allocated buffer.</li>
<li>This heap buffer overflow corrupts memory, leading to an application crash (Denial of Service) or, under specific conditions, allows for arbitrary code execution on the victim's system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-10997 can lead to severe consequences for systems processing untrusted ChemKin files with affected versions of Open Babel. The primary impact includes denial of service, as the application processing the malicious file will likely crash due to memory corruption. More critically, sophisticated exploitation could lead to arbitrary code execution, granting attackers control over the compromised system. Open Babel is widely integrated, being shipped by Linux distributions and embedded in various services that parse chemical file formats. Organizations using Open Babel in such contexts, especially those handling external or untrusted data, are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2025-10997 by upgrading all instances of Open Babel and its language bindings to version 3.2.0 or later immediately.</li>
<li>Implement strict input validation and sanitization for all ChemKin files processed by applications utilizing Open Babel components to mitigate risks from specially crafted inputs.</li>
<li>Monitor systems that utilize Open Babel for unexpected application crashes or unusual process behavior that could indicate attempted exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>chemistry</category><category>vulnerability</category><category>buffer-overflow</category><category>memory-corruption</category><category>cve</category></item></channel></rss>