CVE-2025-10996: Open Babel SMILES Parser Heap Buffer Overflow
Open Babel's SMILES parser reads past the end of a heap buffer when given a crafted molecule string, which can crash or corrupt memory in any application that converts chemistry file formats.
The problem
The function `OBSmilesParser::ParseSmiles` in `src/formats/smilesformat.cpp` performs an out-of-bounds read of 4 bytes on a heap-allocated vector when processing a malformed SMILES string.
Open Babel is embedded in Linux distributions, Python/Ruby/Java/R/Perl/C#/PHP bindings, and web-facing cheminformatics pipelines. Any code path that calls `OBConversion` or `obabel` on untrusted SMILES is affected, making this reachable from scripts, REST APIs, and CI pipelines alike.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26). The patch is commit b34cd604, consolidated in PR #2913. If you cannot upgrade immediately, avoid passing untrusted SMILES strings to `obabel`, `OBConversion::ReadString`, or any language binding that calls `SmiToMol` until the patch is applied.
Reported by OSS-Fuzz.
Related research
- high · 7.5CVE-2026-48809CVE-2026-48809: python-engineio Unauthenticated Memory Exhaustion (DoS)
- criticalCVE-2026-42208: semantic-router Unbounded litellm Pin Pulls Credential-Stealing Wheel
- high · 8.1CVE-2026-49291CVE-2026-49291: mcp-memory-service Missing Authorization on MCP tools/call
- critical · 10CVE-2026-49257CVE-2026-49257: mcp-pinot-server Unauthenticated Remote Tool Invocation