CVE-2026-2705
Published: 19 February 2026
Summary
CVE-2026-2705 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Openbabel Open Babel. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2705 is an out-of-bounds read vulnerability in Open Babel versions up to 3.1.1. The flaw affects the OBAtom::SetFormalCharge function in the include/openbabel/atom.h library file, part of the MOL2 File Handler component. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
The vulnerability enables remote exploitation by unauthenticated attackers requiring no privileges, though it demands user interaction and features low attack complexity. Attackers can trigger the out-of-bounds read by supplying a malicious MOL2 file, potentially leading to a denial-of-service condition due to the low availability impact.
Advisories recommend applying the patch at commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a to remediate the issue. The Open Babel project was informed early via GitHub issue #2848, with a related pull request #2862, though it has not yet responded. A proof-of-concept exploit is publicly available, and exploitation may occur as it is now public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7561
Vulnerability details
A vulnerability was detected in Open Babel up to 3.1.1. The impacted element is the function OBAtom::SetFormalCharge in the library include/openbabel/atom.h of the component MOL2 File Handler. The manipulation results in out-of-bounds read. It is possible to launch the attack…
more
remotely. The exploit is now public and may be used. The patch is identified as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. A patch should be applied to remediate this issue. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malicious MOL2 file requires user execution (T1204.002) to trigger OOB read; results in application DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the published patch (commit e23a224b) to eliminate the out-of-bounds read in OBAtom::SetFormalCharge before a malicious MOL2 file can be processed.
Mandates validation of all input data, which would enforce bounds checking on MOL2 file contents and block the CWE-119/125 flaw at the point of file ingestion.
Requires hardware or software memory protection mechanisms that can detect or contain the out-of-bounds read triggered by a crafted MOL2 file, limiting the resulting denial-of-service.