Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString
🔗 CVE IDs covered (1)
📋 Description
Summary
A memory-safety vulnerability in Open Babel's CIF file format parser allowed an out-of-bounds read when reading a crafted input file.
Details
The flaw was in
OpenBabel::transform3d::DescribeAsString. A malformed symmetry-operation string caused the parser to read past the end of its internal buffer while formatting the description.Impact
Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious CIF file with the
obabeltool, the OBConversion API, or any of the language bindings.Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/e23a224b Tracked in #2862.
A minimized reproducer for this CVE is checked in at
test/files/fuzz_regress/cve-2026-2704.cifand is exercised on every CI build under ASAN+UBSAN by thefuzzregresstestharness.Credit
Reported by Vedant Madane (@VedantMadane).
🎯 Affected products1
- pip/openbabel:< 3.2.0
🔗 References (14)
- https://github.com/openbabel/openbabel/security/advisories/GHSA-6xw4-2g22-26h8
- https://nvd.nist.gov/vuln/detail/CVE-2026-2704
- https://github.com/openbabel/openbabel/issues/2848
- https://github.com/openbabel/openbabel/pull/2862
- https://github.com/VedantMadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a
- https://github.com/oneafter/0128/blob/main/ob1/repro.cif
- https://github.com/openbabel/openbabel/releases/tag/openbabel-3-2-0
- https://vuldb.com/?ctiid.346650
- https://vuldb.com/?id.346650
- https://vuldb.com/?submit.754378
- https://vuldb.com/submit/754378
- https://vuldb.com/vuln/346650
- https://vuldb.com/vuln/346650/cti
- https://github.com/advisories/GHSA-6xw4-2g22-26h8