Summary
A memory-safety vulnerability in Open Babel's PQS parser caused an
out-of-bounds (pre-buffer) read when reading a crafted input file.
Details
The flaw was in the lowerit helper used by the PQS parser. A
malformed input caused the helper to read one or more bytes before
the start of its input buffer.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious PQS file with the obabel
tool, the OBConversion API, or any of the language bindings (Python,
Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: openbabel/openbabel@f4a5ebae
Fixes consolidated in #2913.
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported via OSS-Fuzz.
References
Summary
A memory-safety vulnerability in Open Babel's PQS parser caused an
out-of-bounds (pre-buffer) read when reading a crafted input file.
Details
The flaw was in the
lowerithelper used by the PQS parser. Amalformed input caused the helper to read one or more bytes before
the start of its input buffer.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious PQS file with the
obabeltool, the
OBConversionAPI, or any of the language bindings (Python,Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: openbabel/openbabel@f4a5ebae
Fixes consolidated in #2913.
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/and is exercised on every CI build underASAN+UBSAN by the
fuzzregresstestharness.Credit
Reported via OSS-Fuzz.
References