high · 7.8CVE-2022-46292Jul 6, 2026

CVE-2022-46292: Open Babel MOPAC Output Parser Out-of-Bounds Write (UNIT CELL TRANSLATION)

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

Opening a crafted MOPAC output file with Open Babel causes the parser to write past the end of a fixed-size stack array, which can corrupt the stack and lead to arbitrary code execution.

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

Open Babel's MOPAC output reader in `src/formats/mopacformat.cpp` stores translation vectors from the `UNIT CELL TRANSLATION` block into a fixed-size `translationVectors[]` stack array. There is no check on how many vectors have already been written before calling `translationVectors[numTranslationVectors++].Set(x, y, z)`.

A malformed file can supply more than three vectors, pushing `numTranslationVectors` past the array bounds and overwriting adjacent stack memory including saved return addresses. The impact is potential arbitrary code execution with the privileges of the calling process.

Proof of concept

A working proof-of-concept for CVE-2022-46292 in openbabel, with the exact payload below.

text
 UNIT CELL TRANSLATION

  INDEX  ATOM   X          Y          Z
    1    C   1.000000   0.000000   0.000000
    2    C   0.000000   1.000000   0.000000
    3    C   0.000000   0.000000   1.000000
    4    C   1.100000   1.100000   1.100000
    5    C   2.200000   2.200000   2.200000
    6    C   3.300000   3.300000   3.300000

The loop in `mopacformat.cpp` continues as long as each line tokenizes to exactly 5 fields. There is no upper-bound guard on `numTranslationVectors`, so every extra vector line writes one `vector3` (three `double` values, 24 bytes) past the end of the stack array (CWE-787).

The `vector3::Set(x, y, z)` method writes all three doubles directly, giving an attacker full control over the overwritten words. The fix in commit `40e85213` adds an `if (numTranslationVectors < 3)` guard before the `Set()` call, capping writes to the three valid slots.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which includes fix commit `40e852138f21d586b7ccdce6329e7b23a87168bb`. If an immediate upgrade is not possible, avoid passing untrusted MOPAC output files to any Open Babel interface (CLI, `OBConversion` API, or language bindings).

Building with `-fstack-protector-strong` and ASLR will raise the exploitation bar but does not eliminate the write.

Reported by Cisco Talos.

References: [1][2][3][4][5][6]

Related research