Open Babel 3.2.0 was tagged on 2026-05-26 and ships fixes for 24 publicly-assigned CVEs in the chemistry file-format parsers, plus a larger pool of OSS-Fuzz-discovered memory-safety bugs that were not individually assigned CVE IDs. All issues are reachable through the public OBConversion::ReadFile / WriteFile API, the `obabel` CLI, or the language bindings, so downstream distributions parsing untrusted chemistry files should plan to update or backport.
Project: Open Babel (https://openbabel.org/) Affected: all releases <= 3.1.1 Fixed in: 3.2.0 (https://github.com/openbabel/openbabel/releases/tag/openbabel-3-2-0) Advisory: https://github.com/openbabel/openbabel/blob/master/SECURITY.md == CVE-2026 batch (reported by Vedant Madane; PR #2862) == CVE-2026-2704 CIF transform3d::DescribeAsString out-of-bounds read CVE-2026-2705 MOL2 OBAtom::SetFormalCharge NULL dereference CVE-2026-3408 CDXML OBAtom::GetExplicitValence NULL dereference == CVE-2025 batch (reported via OSS-Fuzz; PR #2913) == CVE-2025-10994 GAMESSOutputFormat::ReadMolecule use-after-free CVE-2025-10995 zipstream basic_unzip_streambuf overlapping memcpy CVE-2025-10996 OBSmilesParser::ParseSmiles heap-buffer-overflow CVE-2025-10997 ChemKinFormat::CheckSpecies heap-buffer-overflow CVE-2025-10998 ChemKinFormat::ReadReactionQualifier NULL dereference CVE-2025-10999 CacaoFormat::SetHilderbrandt NULL dereference CVE-2025-11000 PQS lowerit out-of-bounds read == CVE-2022 batch (reported by Cisco TALOS; PRs #2883-#2887) == CVE-2022-37331 Gaussian coords_type orientation OOB write CVE-2022-41793 CSR PadString title OOB write CVE-2022-42885 GRO res uninitialized pointer CVE-2022-43467 PQS coord_file OOB write CVE-2022-43607 MOL2 attribute/value OOB write CVE-2022-44451 MSI atom uninitialized pointer CVE-2022-46280 PQS pFormat uninitialized pointer CVE-2022-46289 ORCA nAtoms OOB write CVE-2022-46290 ORCA nAtoms OOB write CVE-2022-46291 Gaussian translationVectors[] OOB write CVE-2022-46292 MOPAC translationVectors[] (UNIT CELL) OOB write CVE-2022-46293 MOPAC translationVectors[] (FINAL PT) OOB write CVE-2022-46294 MOPAC IN translationVectors[] (Tv) OOB write CVE-2022-46295 MSI translationVectors[] OOB write The full per-CVE table with patch commits is in SECURITY.md on the release branch: https://github.com/openbabel/openbabel/blob/openbabel-3-2-0/SECURITY.md Reproducers for each CVE are checked in under test/files/fuzz_regress/ and run on every CI build through the fuzzregresstest harness, with an ASAN+UBSAN job to catch regressions. == Additional hardening (no individual CVE IDs) == 3.2.0 also lands a large set of OSS-Fuzz / Trail of Bits / ADA Logics (Claude Mythos) fixes across MCDL, ChemDraw CDX, ChemKin, abinit, CACAO, Gaussian (including z-matrix and cube), Molpro, POV-Ray, Tinker, SMARTS, MDL V3000, SDF, CIF, and the SMILES canonicalizer. Hardening highlights: - FindRings recursion converted to an iterative loop (stack smash) - Atom-count bounds, bond-loop bounds, charge bounds (+/-999) - SMARTS recursive '((' depth capped at 1000 - MCDL heavy-atom cap at 200 - Reject element numbers > 118 - std::unique_ptr adoption to close leaks / UAFs A 5-second timeout was also added to canonical-label generation to prevent hangs on pathological inputs. == Mitigation == Upgrade to Open Babel 3.2.0. Source tarball, signed git tag, and Python wheels (Linux x86_64/aarch64, macOS, Windows) are available from the release page above. The fixes apply cleanly against 3.1.1 for distros wishing to backport; per-file PR references are in SECURITY.md. == Credits == - Cisco TALOS (2022 batch) - Vedant Madane (2026 batch) - OSS-Fuzz, Trail of Bits, ADA Logics (Arthur Chan), Claude Mythos / Claude Security (ongoing fuzzing reports) - David Korczynski (#2874), tyler92 (#2737), catenacyber (#2342) for the fuzz-harness infrastructure Thanks to all the reporters and the fuzzing infrastructure teams. -- Geoff Hutchison Open Babel maintainer [email protected]
