CVE-2022-46289: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-46289 is an out-of-bounds write vulnerability discovered in the ORCA format nAtoms functionality of Open Babel 3.1.1 and master commit 530dbfa3. The vulnerability was disclosed on July 21, 2023. Open Babel is a popular library for converting chemical file formats, supporting approximately 130 different file formats and implementing bindings for several programming languages (Talos Report).

The vulnerability stems from a wrap-around issue in the nAtoms calculation functionality. When processing ORCA format files, the code performs an integer multiplication (nAtoms * 3) that can wrap around within 32 bits on systems with 4-byte integers. For example, if nAtoms is set to 1431655766, the multiplication results in 2, leading to an insufficient buffer allocation of only 16 bytes for confCoords. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from Talos, while NVD assigned it a score of 7.8 HIGH (Talos Report, NVD).

The vulnerability can lead to arbitrary code execution when a specially-crafted malformed file is processed. Due to the nature of the library and its widespread use in online chemical format converters and molecule viewers, this vulnerability is potentially accessible via network, making it particularly dangerous (Talos Report).

As of the disclosure date, no official patch has been released by the maintainer of Open Babel. The vendor did not release a fix during the 90-day window specified in Cisco's vulnerability disclosure policy (Talos Report).