Description
A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack remotely. The exploit is now public and may be used. The patch is identified as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. A patch should be applied to remediate this issue. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read potentially leaking data or enabling remote exploitation
Action: Immediate Patch
AI Analysis

Impact

Open Babel, up to version 3.1.1, contains an out-of-bounds read in the OBAtom::SetFormalCharge function within the MOL2 File Handler, a classic buffer over-read weakness (CWE‑119/CWE‑125). The defect allows a maliciously crafted MOL2 file to cause the program to read memory beyond the intended buffer. Because the read can expose internal data or corrupt memory, an attacker may retrieve sensitive information or, in the worst case, trigger additional undefined behavior that could lead to remote code execution.

Affected Systems

All deployments of Open Babel 3.1.1 or earlier are affected. The vulnerability is present in the Open Babel library component that parses MOL2 files.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating a medium severity impact. The likelihood of exploitation in the wild is very low, and the vulnerability has not been recorded in CISA’s Known Exploited Vulnerabilities catalog. Nevertheless, the exploit is publicly available and can be triggered remotely by supplying a crafted MOL2 file. A patch with commit hash e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a resolves the issue; attackers that succeed before the patch are risking information disclosure or potential code execution depending on the environment.

Generated by OpenCVE AI on April 18, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a or upgrade to a version that includes the fix.
  • When the patch cannot be applied immediately, validate and restrict processing of user-supplied MOL2 files, ensuring they are from trusted sources before parsing.
  • Monitor application logs for anomalous reads or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 01 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack remotely. The exploit is now public and may be used. The patch is identified as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. A patch should be applied to remediate this issue. The project was informed of the problem early through an issue report but has not responded yet.
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

 cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openbabel:open_babel:*:*:*:*:*:*:*:*

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Openbabel
Openbabel open Babel
Vendors & Products Openbabel
Openbabel open Babel

Thu, 19 Feb 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Open Babel MOL2 File atom.h SetFormalCharge out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Openbabel Open Babel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-03T17:20:24.065Z

Reserved: 2026-02-18T18:05:04.203Z

Link: CVE-2026-2705

cve-icon Vulnrichment

Updated: 2026-02-23T18:45:31.110Z

cve-icon NVD

Status : Modified

Published: 2026-02-19T07:17:49.990

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses