PT-2026-55158 · Pypi · Open Babel

Published

2026-07-01

·

Updated

2026-07-01

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A memory-safety vulnerability in Open Babel's ORCA parser allowed an out-of-bounds write when reading a crafted input file.

Details

The flaw was in the nAtoms handling of the ORCA reader. A malformed input caused the parser to write past the end of its destination buffer.

Impact

Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious ORCA file with the obabel tool, the OBConversion API, or any of the language bindings (Python, Ruby, Java, R, Perl, C#, PHP).

Affected versions

All releases up to and including 3.1.1.

Patched version

3.2.0 (released 2026-05-26).

Patch

A minimized reproducer for this CVE is checked in under test/files/fuzz regress/ and is exercised on every CI build under ASAN+UBSAN by the fuzzregresstest harness.

Credit

Reported by Cisco TALOS.

Fix

Heap Based Buffer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-RJ4C-R689-CM87

Affected Products

Open Babel