PT-2026-55158 · Pypi · Open Babel
Published
2026-07-01
·
Updated
2026-07-01
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Summary
A memory-safety vulnerability in Open Babel's ORCA parser allowed an
out-of-bounds write when reading a crafted input file.
Details
The flaw was in the
nAtoms handling of the ORCA reader. A malformed
input caused the parser to write past the end of its destination
buffer.Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious ORCA file with the
obabel
tool, the OBConversion API, or any of the language bindings (Python,
Ruby, Java, R, Perl, C#, PHP).Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
A minimized reproducer for this CVE is checked in under
test/files/fuzz regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.Credit
Reported by Cisco TALOS.
Fix
Heap Based Buffer Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Open Babel