CVE-2022-46292: Open Babel MOPAC Output Parser Out-of-Bounds Write (UNIT CELL TRANSLATION)
Opening a crafted MOPAC output file with Open Babel causes the parser to write past the end of a fixed-size stack array, which can corrupt the stack and lead to arbitrary code execution.
The problem
Open Babel's MOPAC output reader in `src/formats/mopacformat.cpp` stores translation vectors from the `UNIT CELL TRANSLATION` block into a fixed-size `translationVectors[]` stack array. There is no check on how many vectors have already been written before calling `translationVectors[numTranslationVectors++].Set(x, y, z)`.
A malformed file can supply more than three vectors, pushing `numTranslationVectors` past the array bounds and overwriting adjacent stack memory including saved return addresses. The impact is potential arbitrary code execution with the privileges of the calling process.
Proof of concept
A working proof-of-concept for CVE-2022-46292 in openbabel, with the exact payload below.
UNIT CELL TRANSLATION
INDEX ATOM X Y Z
1 C 1.000000 0.000000 0.000000
2 C 0.000000 1.000000 0.000000
3 C 0.000000 0.000000 1.000000
4 C 1.100000 1.100000 1.100000
5 C 2.200000 2.200000 2.200000
6 C 3.300000 3.300000 3.300000The loop in `mopacformat.cpp` continues as long as each line tokenizes to exactly 5 fields. There is no upper-bound guard on `numTranslationVectors`, so every extra vector line writes one `vector3` (three `double` values, 24 bytes) past the end of the stack array (CWE-787).
The `vector3::Set(x, y, z)` method writes all three doubles directly, giving an attacker full control over the overwritten words. The fix in commit `40e85213` adds an `if (numTranslationVectors < 3)` guard before the `Set()` call, capping writes to the three valid slots.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which includes fix commit `40e852138f21d586b7ccdce6329e7b23a87168bb`. If an immediate upgrade is not possible, avoid passing untrusted MOPAC output files to any Open Babel interface (CLI, `OBConversion` API, or language bindings).
Building with `-fstack-protector-strong` and ASLR will raise the exploitation bar but does not eliminate the write.
Reported by Cisco Talos.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46291CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
- high · 7.8CVE-2022-46293CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow