CVE-2026-3408 - Vulnerability Details

- Open Babel CDXML File atom.cpp GetExplicitValence null pointer dereference

Description

A vulnerability was identified in Open Babel up to 3.1.1. This impacts the function OBAtom::GetExplicitValence of the file isrc/atom.cpp of the component CDXML File Handler. Such manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. It is best practice to apply a patch to resolve this issue.

Published: 2026-03-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An issue in Open Babel versions up to 3.1.1 allows an attacker to trigger a null‑pointer dereference inside the CDXML file handler when the function OBAtom::GetExplicitValence is called. This defect can cause the application to crash, leading to a denial of service. The flaw is formally categorized as a null pointer dereference, an out‑of‑bounds write, and an improper resource release. A successful exploitation would compromise the availability of the affected system.

Affected Systems

Open Babel, a cheminformatics toolkit used in chemistry and bio‑informatics, is affected in all releases up to and including 3.1.1. The source code affected resides in the CDXML file handler module (atom.cpp).

Risk and Exploitability

The risk is moderate with a CVSS score of 5.3 and a very low EPSS probability (<1 %). However the vulnerability has a publicly available exploit and can be triggered remotely via crafted CDXML files, making it a realistic threat to users who load untrusted data. Because the issue arises from a null pointer dereference, any process that invokes OBAtom::GetExplicitValence on a malformed CDXML file could crash. The KEV listing does not record this vulnerability, but the presence of an exploit means that it should be addressed promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Open Babel

affected

Version	Status	Constraints
`3.1.0`	affected	—
`3.1.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:openbabel:open_babel:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Openbabel

Open Babel

95%

Version	Status	Scheme	Platform
`3.1.0`	affected	semver	—
`3.1.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a to update Open Babel to version 3.1.2 or later
Upgrade Open Babel to the latest stable release if available
Restrict processing of untrusted CDXML files until the patch is applied

Generated by OpenCVE AI on April 17, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00097.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/VedantMadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a
https://github.com/oneafter/0128/blob/main/ob3/repro.cdxml
https://github.com/openbabel/openbabel/issues/2848
https://github.com/openbabel/openbabel/pull/2862
https://vuldb.com/?ctiid.348303
https://vuldb.com/?id.348303
https://vuldb.com/?submit.763756

History

Wed, 04 Mar 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
CPEs		cpe:2.3:a:openbabel:open_babel::::::::

Mon, 02 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openbabel Openbabel open Babel
Vendors & Products		Openbabel Openbabel open Babel

Mon, 02 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Open Babel up to 3.1.1. This impacts the function OBAtom::GetExplicitValence of the file isrc/atom.cpp of the component CDXML File Handler. Such manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. It is best practice to apply a patch to resolve this issue.
Title		Open Babel CDXML File atom.cpp GetExplicitValence null pointer dereference
Weaknesses		CWE-404 CWE-476
References		https://github.com/VedantMadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a https://github.com/oneafter/0128/blob/main/ob3/repro.cdxml https://github.com/openbabel/openbabel/issues/2848 https://github.com/openbabel/openbabel/pull/2862 https://vuldb.com/?ctiid.348303 https://vuldb.com/?id.348303 https://vuldb.com/?submit.763756
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Openbabel Open Babel

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-02T03:32:10.760Z

Updated: 2026-03-02T14:39:26.476Z

Reserved: 2026-03-01T07:11:14.065Z

Link: CVE-2026-3408

Vulnrichment

Updated: 2026-03-02T14:38:57.107Z

NVD

Status : Analyzed

Published: 2026-03-02T04:16:06.023

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3408

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object