CVE-2026-2704 – An out-of-bounds read vulnerability in Open Bab... (How to Fix)

Q: What is the severity of CVE-2026-2704?

CVE-2026-2704 has a CVSS score of 4.3 (MEDIUM). An out-of-bounds read vulnerability in Open Babel's CIF file handler allows remote attackers to read memory beyond allocated buffers. This affects Open Babel users who process untrusted CIF files, potentially exposing sensitive information or causing application crashes.

📋 TL;DR

An out-of-bounds read vulnerability in Open Babel's CIF file handler allows remote attackers to read memory beyond allocated buffers. This affects Open Babel users who process untrusted CIF files, potentially exposing sensitive information or causing application crashes.

💻 Affected Systems

Products:

Open Babel

Versions: Up to and including 3.1.1

Operating Systems: All platforms running Open Babel

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when processing CIF files through the transform3d component.

📦 What is this software?

Open Babel by Openbabel

View all CVEs affecting Open Babel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote information disclosure leading to exposure of sensitive memory contents, potentially including credentials or other application data.

🟠

Likely Case

Application crash or denial of service when processing malicious CIF files, with possible limited information leakage.

🟢

If Mitigated

Minimal impact if proper input validation and memory protections are in place, potentially just causing application termination.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit file available in GitHub repository. Remote exploitation possible via malicious CIF files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor Open Babel GitHub repository for updates.

🔧 Temporary Workarounds

Disable CIF file processing

all

Prevent Open Babel from processing CIF files to avoid triggering the vulnerability

Configure application to reject CIF file format inputs

Input validation for CIF files

all

Implement strict validation of CIF files before processing

Add pre-processing validation checks for CIF file structure

🧯 If You Can't Patch

Restrict Open Babel usage to trusted environments only
Implement network segmentation to limit exposure of vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check Open Babel version with 'obabel --version' or equivalent command

Check Version:

obabel --version

Verify Fix Applied:

Test with known malicious CIF file from exploit repository

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing CIF files
Memory access violation errors

Network Indicators:

Unexpected CIF file transfers to Open Babel instances

SIEM Query:

Process:obabel AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2026-2704

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-119

Published: February 19, 2026

Last Updated: March 1, 2026

🔗 References

https://github.com/VedantMadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a
https://github.com/oneafter/0128/blob/main/ob1/repro.cif Exploit
https://github.com/openbabel/openbabel/issues/2848 Exploit,Third Party Advisory
https://github.com/openbabel/openbabel/pull/2862
https://vuldb.com/?ctiid.346650 Permissions Required,VDB Entry
https://vuldb.com/?id.346650 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.754378 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2704, you might also want to check these: