CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow
Open Babel's MOPAC output reader lets an attacker overflow a fixed-size stack array by placing more than three translation-vector triplets in a crafted 'FINAL POINT AND DERIVATIVES' block, which can l
The problem
The MOPAC output format reader in `mopacformat.cpp` parses translation vectors from the 'FINAL POINT AND DERIVATIVES' section into a fixed-size stack array `translationVectors[3]`.
The reading loop continued as long as each line carried 8 tokens and the atom name was `Tv`, with no check on how many vectors had already been stored. Feeding four or more complete X/Y/Z triplets writes past the end of the array, corrupting adjacent stack memory.
On a vulnerable build this is a stack-buffer-overflow that can reach arbitrary code execution.
Proof of concept
A working proof-of-concept for CVE-2022-46293 in openbabel, with the exact payload below.
FINAL POINT AND DERIVATIVES
ATOM CHEMICAL BOND BOND
NUMBER SYMBOL LENGTH ANGLE
1 Tv X 0 1.000000 0.0
2 Tv Y 0 0.000000 0.0
3 Tv Z 0 0.000000 0.0
4 Tv X 0 0.000000 0.0
5 Tv Y 0 1.000000 0.0
6 Tv Z 0 0.000000 0.0
7 Tv X 0 0.000000 0.0
8 Tv Y 0 0.000000 0.0
9 Tv Z 0 1.000000 0.0
10 Tv X 0 0.000000 0.0
11 Tv Y 0 0.000000 0.0
12 Tv Z 0 1.000000 0.0
The TALOS advisory reproduces the exact loop: every line with 8 tokens where token[2] is `Tv` and token[4] is `Z` triggers `translationVectors[numTranslationVectors++].Set(x, y, z)`. Because `numTranslationVectors` is never capped, a fourth Z-row writes 24 bytes past the 3-element stack array (CWE-787 / CWE-119).
The same copy-pasted pattern affected five code paths across MSI, MOPAC (two issues), MOPAC Cartesian, and Gaussian formats. Commit 40e85213 adds a `numTranslationVectors < 3` guard before every `translationVectors[numTranslationVectors++].Set(...)` call, stopping the loop once the array is full.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains the fix commit 40e852138f21d586b7ccdce6329e7b23a87168bb. The patch adds an upper-bound check (`numTranslationVectors < 3`) before every write into `translationVectors[]` across all affected format parsers.
If upgrading immediately is not possible, avoid passing untrusted MOPAC output files to `obabel` or any application using `OBConversion`.
Reported by Cisco Talos.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46291CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
- high · 7.8CVE-2022-46294CVE-2022-46294: Open Babel MOPAC Cartesian Out-of-Bounds Write