CVE-2022-46294: 
Linux Debian vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the translationVectors parsing functionality in multiple supported formats of Open Babel 3.1.1 and master commit 530dbfa3. The vulnerability, identified as CVE-2022-46294, specifically affects the MOPAC Cartesian file format. This security flaw was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on July 21, 2023 (Talos Report).

The vulnerability exists in the MOPACCART file format (formats/mopacformat.cpp) which parses input files via ReadMolecule. The issue occurs when processing translation vectors, where an array index (numTranslationVectors) can be incremented without bounds checking, leading to an out-of-bounds write condition. The vulnerability has received a CVSS 3.1 Base Score of 7.8 (HIGH) from NIST NVD with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Talos assessed it with a CVSS score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

A specially-crafted malformed file can lead to arbitrary code execution. The vulnerability allows an attacker to provide a malicious file to trigger this vulnerability, potentially leading to arbitrary code execution depending on the platform and how the code is compiled (Talos Report).

As of the disclosure date, no official fix has been released by Open Babel. The vendor declined to release an update within the 90-day period as outlined in Cisco's vulnerability disclosure policy (Vulnerability Roundup).