DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2022-46292: CVE-2022-46292: Heap-Based Out-of-Bounds Write in Open Babel MOPAC Parser

CVE-2022-46292: Heap-Based Out-of-Bounds Write in Open Babel MOPAC Parser

Vulnerability ID: CVE-2022-46292
CVSS Score: 9.8
Published: 2026-07-06

A critical heap-based out-of-bounds write vulnerability exists in Open Babel 3.1.1 and master commit 530dbfa3 within the parsing of Translation Vectors in the MOPAC output file format parser. By supplying a crafted MOPAC file containing more than three translation vector entries under the Unit Cell Translation block, an attacker can corrupt heap memory. This vulnerability can lead to arbitrary code execution or denial of service.

TL;DR

An out-of-bounds write vulnerability in Open Babel's MOPAC output parser allows remote attackers to execute arbitrary code or cause a crash via a malformed file with excessive translation vectors.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-787 / CWE-119
  • Attack Vector: Network / Local
  • CVSS v3.1 Score: 9.8 (NVD) / 7.8 (OSV)
  • EPSS Score: 0.00816 (Percentile: 52.66%)
  • Impact: Arbitrary Code Execution / Denial of Service
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Open Babel
  • Open Babel: <= 3.1.1 (Fixed in: Commit 40e852138f21d586b7ccdce6329e7b23a87168bb)

Code Analysis

Commit: 40e8521

Fix 5 CVE-2022 OOB writes in translationVectors[] across formats. Guard the write into a fixed 3-element array with numTranslationVectors < 3.

@@ -167,7 +167,8 @@ namespace OpenBabel
                 y = atof((char*)vs[3].c_str());
                 z = atof((char*)vs[4].c_str());

-                translationVectors[numTranslationVectors++].Set(x, y, z);
+                if (numTranslationVectors < 3)
+                  translationVectors[numTranslationVectors++].Set(x, y, z);
                 if (!ifs.getline(buffer,BUFF_SIZE))
                   break;
                 tokenize(vs,buffer);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Open Babel to a version containing the official patch (commit 40e852138f21d586b7ccdce6329e7b23a87168bb or later).
  • Deploy input validation filters (YARA rules) on ingress endpoints to drop malformed MOPAC files.
  • Isolate the file conversion processes using low-privilege execution sandboxes and containers.

Remediation Steps:

  1. Identify all installations of Open Babel 3.1.1 or code matching commit 530dbfa3 in the environment.
  2. Apply commit 40e852138f21d586b7ccdce6329e7b23a87168bb to the source code or upgrade to the patched version.
  3. Recompile the binaries with modern mitigation features such as ASLR, DEP, and stack canaries.
  4. Verify the patch by running the regression test suite with the provided Proof of Concept file.

References


Read the full report for CVE-2022-46292 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)