CVE-2026-2705 is an out-of-bounds read vulnerability found in Open Babel, an open-source chemical toolbox widely used for molecular data conversion and analysis. The vulnerability resides in the OBAtom::SetFormalCharge function located in the include/openbabel/atom.h file, specifically within the MOL2 file handler component. When processing specially crafted MOL2 files, the function can read memory beyond the intended buffer boundaries, leading to potential information disclosure or application instability. The vulnerability can be exploited remotely since Open Babel processes input files that may come from untrusted sources, and no privileges or authentication are required. However, user interaction is necessary to trigger the vulnerability, such as opening or importing a malicious MOL2 file. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with attack vector network, low attack complexity, no privileges or authentication needed, and user interaction required. Although no known exploits in the wild have been reported, a public exploit is available, increasing the urgency for remediation. The Open Babel project was notified early but has not yet responded; however, a patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a is available to fix the issue. This vulnerability primarily impacts scientific, pharmaceutical, and chemical research organizations that rely on Open Babel for molecular file conversions and analyses, especially when handling untrusted MOL2 files.

The primary impact of CVE-2026-2705 is the potential disclosure of sensitive memory contents due to out-of-bounds reads, which could leak confidential information processed by Open Babel. Additionally, the vulnerability may cause application crashes or denial of service, disrupting workflows that depend on Open Babel for molecular data processing. While the vulnerability does not directly enable remote code execution or privilege escalation, the availability of a public exploit increases the risk of targeted attacks, especially in environments where untrusted MOL2 files are processed. Organizations in pharmaceutical research, chemical engineering, and related scientific fields may face operational disruptions and data confidentiality risks. The medium severity rating reflects the moderate impact and exploitation complexity, but the lack of authentication requirements and remote attack vector make it a notable risk. Failure to patch could lead to exploitation by threat actors aiming to gather sensitive research data or cause denial of service in critical scientific applications.

To mitigate CVE-2026-2705, organizations should immediately apply the official patch identified by commit e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a or upgrade Open Babel to a version beyond 3.1.1 that includes the fix. Until patched, restrict the processing of MOL2 files to trusted sources only and implement strict input validation and sandboxing when handling untrusted molecular data. Employ application-level monitoring to detect abnormal crashes or memory access violations indicative of exploitation attempts. Additionally, integrate Open Babel usage within controlled environments with limited network exposure to reduce remote attack surface. Regularly audit and update dependencies and maintain awareness of Open Babel security advisories. For organizations with high-value chemical or pharmaceutical data, consider deploying intrusion detection systems tuned to detect anomalous file parsing behaviors. Finally, establish incident response procedures to quickly address potential exploitation attempts leveraging this vulnerability.