CVE-2025-10996 is a heap-based buffer overflow vulnerability identified in Open Babel versions up to 3.1.1, specifically within the OBSmilesParser::ParseSmiles function located in the /src/formats/smilesformat.cpp source file. Open Babel is an open-source chemical toolbox designed to speak the many languages of chemical data. The vulnerability arises when the parser processes SMILES (Simplified Molecular Input Line Entry System) strings, which are textual representations of chemical structures. Improper handling or manipulation of these inputs can lead to a heap-based buffer overflow, a condition where data exceeds the allocated buffer size in heap memory, potentially overwriting adjacent memory. This can result in unpredictable behavior including crashes, data corruption, or arbitrary code execution. The vulnerability requires local access to the system (local attack vector) and low privileges (PR:L), with no user interaction needed. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The exploit is publicly available, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. The vulnerability does not require elevated privileges or user interaction, but the attacker must have local access to the system to trigger the overflow. The scope is limited to confidentiality, integrity, and availability impacts at a low level, as indicated by the CVSS vector. No patches or fixes are currently linked, suggesting that mitigation may require manual intervention or updates from the Open Babel project. Given the nature of the vulnerability, it primarily affects systems where Open Babel is installed and used, such as research institutions, pharmaceutical companies, and chemical data processing environments.

For European organizations, especially those involved in chemical research, pharmaceuticals, and academic institutions using Open Babel for chemical data parsing and analysis, this vulnerability poses a moderate risk. Exploitation could lead to denial of service through application crashes or potentially allow an attacker with local access to execute arbitrary code, compromising system integrity and confidentiality. While the requirement for local access limits remote exploitation, insider threats or compromised user accounts could leverage this vulnerability. The public availability of the exploit code increases the likelihood of attempts to exploit this flaw. Disruption in chemical data processing could delay research and development activities, impacting productivity and potentially leading to intellectual property theft or data manipulation. Organizations relying heavily on Open Babel should be aware of this vulnerability to prevent potential breaches or operational disruptions.

1. Restrict local access to systems running Open Babel to trusted users only, employing strict access controls and monitoring. 2. Implement application sandboxing or containerization to limit the impact of potential exploitation. 3. Monitor systems for unusual behavior or crashes related to Open Babel processes, enabling early detection of exploitation attempts. 4. Regularly audit and update Open Babel installations, applying patches or updates as soon as they become available from the vendor or open-source community. 5. Consider employing input validation or sanitization mechanisms at the application level to prevent malformed SMILES strings from being processed. 6. Educate users about the risks of running untrusted code or inputs locally, especially in environments where Open Babel is used. 7. Use host-based intrusion detection systems (HIDS) to detect anomalous activities that may indicate exploitation attempts. 8. If feasible, isolate chemical data processing environments from general user environments to reduce attack surface.