high · 7.8CVE-2022-46294Jul 1, 2026

CVE-2022-46294: Open Babel MOPAC Cartesian Out-of-Bounds Write

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

A crafted MOPAC Cartesian file with more than three Tv (translation-vector) entries overflows a fixed-size stack array in Open Babel, enabling arbitrary code execution in any application that parses u

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

Open Babel's MOPAC Cartesian reader (`mopcrtformat.cpp`) stores Tv-atom translation vectors into a fixed-size `vector3 translationVectors[3]` array on the stack.

The parsing loop checks only that each input line has the right number of tokens. It has no upper-bound check on the counter `numTranslationVectors`. A malformed file with four or more Tv entries writes past the end of the stack array, corrupting adjacent stack memory.

Proof of concept

A working proof-of-concept for CVE-2022-46294 in openbabel, with the exact payload below.

text
; MOPAC Cartesian (.mpc) file triggering CVE-2022-46294
; Feed to: obabel -i mopcrt evil.mpc -o sdf
PM7
OOB translationVectors PoC

 C   0.000  1  0.000  1  0.000  1
Tv   1.000  1  0.000  1  0.000  1
Tv   0.000  1  1.000  1  0.000  1
Tv   0.000  1  0.000  1  1.000  1
Tv   9.999  1  9.999  1  9.999  1
Tv   9.999  1  9.999  1  9.999  1

The vulnerable code declares `vector3 translationVectors[3]` on the stack, then enters a `while (vs.size() == 5)` loop that calls `translationVectors[numTranslationVectors++].Set(x, y, z)` with no bounds guard. Each Tv line supplies exactly 5 tokens, so the loop runs as many times as the attacker provides Tv entries.

The fourth write lands at `translationVectors[3]`, one slot past the array, and overwrites adjacent stack data including saved registers or a return address.

The patch (commit 40e85213) adds a guard `if (numTranslationVectors < 3)` before the `Set()` call, capping writes to the three valid slots. CWE-787 (Out-of-bounds Write) on the stack is directly exploitable when the attacker controls the x, y, z double values written.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which applies commit 40e852138f21d586b7ccdce6329e7b23a87168bb. The fix adds `if (numTranslationVectors < 3)` before every `translationVectors[numTranslationVectors++].Set(...)` call in the affected format parsers.

If upgrading immediately is not possible, avoid processing untrusted MOPAC Cartesian files through any Open Babel API or CLI.

Reported by Cisco Talos.

References: [1][2][3][4][5][6]

Related research