CVE-2026-2704

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2704
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2704.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2704
Downstream
Related
Published
2026-02-19T07:17:49.720Z
Modified
2026-06-24T09:14:34.660784287Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

A security vulnerability has been detected in Open Babel up to 3.1.1. The affected element is the function OpenBabel::transform3d::DescribeAsString of the file src/math/transform3d.cpp of the component CIF File Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. It is suggested to install a patch to address this issue. The project was informed of the problem early through an issue report but has not responded yet.

References

Affected packages

Git / github.com/VedantMadane/openbabel

Affected ranges

Type
GIT
Repo
https://github.com/VedantMadane/openbabel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
cbd4db43f8908b874864280fdc03bf92569eebc1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.1.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/vedantmadane/openbabel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a

Affected versions

Other
openbabel-3-0-0
openbabel-3-0-0a1
openbabel-3-0-0a2
openbabel-3-1-0
openbabel-3-1-1

Database specific

vanir_signatures_modified 
"2026-04-12T20:21:43Z"
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2704.json"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "digest": {
            "length": 8741.0,
            "function_hash": "30010962304116138080607436319469699538"
        },
        "deprecated": false,
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Function",
        "id": "CVE-2026-2704-01bc6dd8",
        "target": {
            "function": "MOL2Format::ReadMolecule",
            "file": "src/formats/mol2format.cpp"
        }
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217684272962877016414138833642465327871",
                "281597259995795846860484565484922236444",
                "67944802873645976870685274386029446693",
                "284286721701357702013437237273380090033",
                "242538309816058351042879703787182903972"
            ]
        },
        "target": {
            "file": "src/formats/xml/cdxmlformat.cpp"
        },
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Line",
        "id": "CVE-2026-2704-0f76489d",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "digest": {
            "length": 1251.0,
            "function_hash": "119405193706058877749533351361322555021"
        },
        "deprecated": false,
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Function",
        "id": "CVE-2026-2704-33bca003",
        "target": {
            "function": "transform3d::DescribeAsString",
            "file": "src/math/transform3d.cpp"
        }
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "74714072063425806463116978712476486227",
                "26720173946644870887389989496423085704",
                "17720890902694951893861370958398576869",
                "241071117686927028701713811667404671016",
                "310400835440742988261621149033241726729",
                "223347280846511975360235714746911352592",
                "113071542473268934638868109943538653392"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Line",
        "id": "CVE-2026-2704-a7c7b4f1",
        "target": {
            "file": "src/formats/mol2format.cpp"
        }
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "126791517391950924350933049496851609362",
                "273447677231502680745093624288136141499",
                "122020157048298215120106090724374946668",
                "106789864566273743879341108317849902974",
                "40275149034654090481755797826856792854"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Line",
        "id": "CVE-2026-2704-b63644bb",
        "target": {
            "file": "src/math/transform3d.cpp"
        }
    },
    {
        "signature_version": "v1",
        "digest": {
            "length": 650.0,
            "function_hash": "76514931888117891657624299142639965215"
        },
        "deprecated": false,
        "source": "https://github.com/vedantmadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a",
        "signature_type": "Function",
        "id": "CVE-2026-2704-f94e2ea9",
        "target": {
            "function": "ChemDrawXMLFormat::EndElement",
            "file": "src/formats/xml/cdxmlformat.cpp"
        }
    }
]