CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2022-46292

highCVSS 7.8covered by 1 sourcefirst seen 2026-07-06
Summary A memory-safety vulnerability in Open Babel's MOPAC output parser allowed an out-of-bounds write into the translationVectors[] array when reading the "UNIT CELL TRANSLATION" block of a crafted input file. Details The MOPAC output reader stored translation vectors from the UNIT CELL TRANSLATION block into a fixed-size translationVectors[] array. A malformed block could push more vectors than the array had slots, causing a write past the end of the array. One of five translationVectors[] OOB writes in the TALOS 2022 batch. Impact Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious MOPAC output file with the obabel tool, the OBConversion API, or any of the language bindings (Python, Ruby, Java, R, Perl, C#, PHP). Affected versions All releases up to and including 3.1.1. Patched version 3.2.0 (released 2026-05-26). Patch Fix commit: https://github.com/openbabel/openbabel/commit/40e85213 A minimized reproducer for this CVE is checked in under test/files/fuzz_regress/ and is exercised on every CI build under ASAN+UBSAN by the fuzzregresstest harness. Credit Reported by Cisco TALOS.

⚡ Watch CVE-2022-46292

Get an email if CVE-2022-46292 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2022-46292

CVE.org record

Embed the live status

CVE-2022-46292 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2022-46292 status](https://www.csirts.com/badge/CVE-2022-46292)](https://www.csirts.com/cve/CVE-2022-46292)