CVE-2022-46294: Open Babel MOPAC Cartesian Out-of-Bounds Write
A crafted MOPAC Cartesian file with more than three Tv (translation-vector) entries overflows a fixed-size stack array in Open Babel, enabling arbitrary code execution in any application that parses u
The problem
Open Babel's MOPAC Cartesian reader (`mopcrtformat.cpp`) stores Tv-atom translation vectors into a fixed-size `vector3 translationVectors[3]` array on the stack.
The parsing loop checks only that each input line has the right number of tokens. It has no upper-bound check on the counter `numTranslationVectors`. A malformed file with four or more Tv entries writes past the end of the stack array, corrupting adjacent stack memory.
Proof of concept
A working proof-of-concept for CVE-2022-46294 in openbabel, with the exact payload below.
; MOPAC Cartesian (.mpc) file triggering CVE-2022-46294
; Feed to: obabel -i mopcrt evil.mpc -o sdf
PM7
OOB translationVectors PoC
C 0.000 1 0.000 1 0.000 1
Tv 1.000 1 0.000 1 0.000 1
Tv 0.000 1 1.000 1 0.000 1
Tv 0.000 1 0.000 1 1.000 1
Tv 9.999 1 9.999 1 9.999 1
Tv 9.999 1 9.999 1 9.999 1The vulnerable code declares `vector3 translationVectors[3]` on the stack, then enters a `while (vs.size() == 5)` loop that calls `translationVectors[numTranslationVectors++].Set(x, y, z)` with no bounds guard. Each Tv line supplies exactly 5 tokens, so the loop runs as many times as the attacker provides Tv entries.
The fourth write lands at `translationVectors[3]`, one slot past the array, and overwrites adjacent stack data including saved registers or a return address.
The patch (commit 40e85213) adds a guard `if (numTranslationVectors < 3)` before the `Set()` call, capping writes to the three valid slots. CWE-787 (Out-of-bounds Write) on the stack is directly exploitable when the attacker controls the x, y, z double values written.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which applies commit 40e852138f21d586b7ccdce6329e7b23a87168bb. The fix adds `if (numTranslationVectors < 3)` before every `translationVectors[numTranslationVectors++].Set(...)` call in the affected format parsers.
If upgrading immediately is not possible, avoid processing untrusted MOPAC Cartesian files through any Open Babel API or CLI.
Reported by Cisco Talos.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46291CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
- high · 7.8CVE-2022-46293CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow