PYSEC-2026-2781
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:05Summary
A memory-safety vulnerability in Open Babel's SMILES parser caused a heap buffer overflow when reading a crafted input string.
Details
The flaw was in OBSmilesParser::ParseSmiles. A malformed SMILES
input caused the parser to write past the end of a heap-allocated
buffer.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to parse a malicious SMILES string with the
obabel tool, the OBConversion API, or any of the language
bindings (Python, Ruby, Java, R, Perl, C#, PHP). SMILES strings are
commonly passed on the command line and through scripted pipelines,
so this primitive is especially reachable.
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/b34cd604 Originally reported as #2831; fixes consolidated in #2913.
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported via OSS-Fuzz.
| Name | purl | openbabel | pkg:pypi/openbabel |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openbabel",
"purl": "pkg:pypi/openbabel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8",
"1.8.1",
"1.8.2",
"1.8.3",
"1.8.4",
"2.4.0",
"2.4.1",
"3.0.0",
"3.0.0a1",
"3.1.1",
"3.1.1.1"
]
}
],
"aliases": [
"CVE-2025-10996",
"GHSA-j35x-w4gj-pf7w"
],
"details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s SMILES parser caused a\nheap buffer overflow when reading a crafted input string.\n\n### Details\n\nThe flaw was in `OBSmilesParser::ParseSmiles`. A malformed SMILES\ninput caused the parser to write past the end of a heap-allocated\nbuffer.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to parse a malicious SMILES string with the\n`obabel` tool, the `OBConversion` API, or any of the language\nbindings (Python, Ruby, Java, R, Perl, C#, PHP). SMILES strings are\ncommonly passed on the command line and through scripted pipelines,\nso this primitive is especially reachable.\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/b34cd604\nOriginally reported as #2831; fixes consolidated in #2913.\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported via OSS-Fuzz.",
"id": "PYSEC-2026-2781",
"modified": "2026-07-13T16:05:18.037108Z",
"published": "2026-07-13T15:46:25.561422Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-j35x-w4gj-pf7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10996"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/issues/2831"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/pull/2913"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/commit/b34cd604"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbabel/openbabel"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/22318556/poc.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325924"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325924"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.654060"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/openbabel"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j35x-w4gj-pf7w"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.