CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
A crafted MOL2 file with an oversized attribute or value string causes Open Babel to write past a fixed 32-byte stack buffer during parsing, potentially leading to arbitrary code execution.
The problem
Open Babel's MOL2 reader allocates two 32-byte stack buffers, `attr` and `val`, to hold the attribute name and value parsed from comment lines beginning with `##########`.
The call `sscanf(buffer, "########## %[^:]:%s", attr, val)` uses an unbounded `%s` specifier. Any token in the input that is longer than 31 characters overflows the destination buffer on the stack. An attacker only needs to supply a malicious `.mol2` file; services that auto-convert chemistry files are reachable without direct user interaction.
Proof of concept
A working proof-of-concept for CVE-2022-43607 in openbabel, with the exact payload below.
########## AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
@<TRIPOS>MOLECULEThe root cause is a missing width specifier in the `sscanf` format string (CWE-787). The `%s` and `%[^:]` tokens read an unbounded number of non-whitespace characters into fixed 32-byte stack buffers. An input line matching the `##########` prefix but carrying a token of 30000+ bytes overflows both buffers in sequence, corrupting adjacent stack memory.
The Talos ASAN report shows a write of 30001 bytes starting at the 32-byte `attr` buffer. The patch adds explicit field-width limits to the format string, for example `%31[^:]:%31s`, so reads are capped at 31 characters (leaving room for the null terminator). The `-ac` input option must be passed to the converter for the vulnerable branch to be reached, but any service that uses Open Babel's `OBConversion` API with that option set is exploitable without additional privilege.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which adds width limits to the `sscanf` format string in `src/formats/mol2format.cpp` (commit 4110d59a). For library consumers, also audit any service that calls `OBConversion` with the `-ac` / `IsOption("c")` flag on untrusted input and restrict accepted file sources until the upgrade is applied.
Reported by Cisco Talos.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-46291CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
- high · 7.8CVE-2022-46293CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46294CVE-2022-46294: Open Babel MOPAC Cartesian Out-of-Bounds Write