CVE-2026-2704 identifies a security vulnerability in Open Babel, an open-source chemical toolbox widely used for converting, analyzing, and processing chemical data. The vulnerability exists in the function OpenBabel::transform3d::DescribeAsString, located in src/math/transform3d.cpp, part of the CIF File Handler component. This function improperly handles input data, leading to an out-of-bounds read condition. An attacker can remotely supply crafted input that triggers this flaw, causing the application to read memory beyond the intended buffer boundaries. This can result in information leakage or potentially cause the application to crash, affecting availability. The vulnerability does not require authentication or elevated privileges but does require user interaction, such as opening or processing a maliciously crafted CIF file. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and limited impact on confidentiality. A patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a has been developed but the Open Babel project has not yet publicly responded or released an official update. No exploits have been observed in the wild to date, but public disclosure increases the risk of exploitation attempts.

The primary impact of CVE-2026-2704 is the potential for unauthorized disclosure of memory contents due to out-of-bounds reads, which could expose sensitive information processed by Open Babel. Additionally, exploitation may cause application crashes, leading to denial of service conditions. Organizations relying on Open Babel for chemical data analysis, research, or integration into larger pipelines may face operational disruptions or data confidentiality risks. Since the vulnerability can be triggered remotely and without authentication, attackers could exploit it by tricking users into processing malicious CIF files, increasing the attack surface. While the severity is medium, the impact is more significant in environments where chemical data confidentiality is critical or where Open Babel is integrated into automated workflows processing untrusted data. The lack of an official patch release and public project response could delay mitigation, increasing exposure time.

To mitigate CVE-2026-2704, organizations should immediately apply the patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a once it is officially released by the Open Babel project. Until then, restrict or monitor the processing of CIF files from untrusted or unauthenticated sources to prevent exploitation. Implement input validation and sandboxing around Open Babel processes to limit the impact of potential crashes or memory disclosures. Employ network-level controls to limit exposure of services that utilize Open Babel and enforce strict user awareness training to avoid opening suspicious chemical data files. Additionally, consider deploying runtime memory protection tools such as AddressSanitizer or similar to detect out-of-bounds reads during testing and operation. Regularly monitor vulnerability advisories for updates and verify the integrity of Open Babel binaries to prevent tampering.