GHSA-6xw4-2g22-26h8

> ### Summary > > A memory-safety vulnerability in Open Babel's CIF file format parser > allowed an out-of-bounds read when reading a crafted input file. > > ### Details > > The flaw was in `OpenBabel::transform3d::DescribeAsString`. A malformed > symmetry-operation string caused the parser to read past the end of its > internal buffer while formatting the description. > > ### Impact > > Open Babel is a C++ library and CLI used to read and write chemistry > file formats; it is shipped by Linux distributions and embedded in > services that may parse untrusted input. Triggering this vulnerability > requires the victim to open a malicious CIF file with the `obabel` > tool, the OBConversion API, or any of the language bindings. > > ### Affected versions > > All releases up to and including 3.1.1. > > ### Patched version > > 3.2.0 (released 2026-05-26). > > ### Patch > > Fix commit: https://github.com/openbabel/openbabel/commit/e23a224b > Tracked in #2862. > > A minimized reproducer for this CVE is checked in at > `test/files/fuzz_regress/cve-2026-2704.cif` and is exercised on every > CI build under ASAN+UBSAN by the `fuzzregresstest` harness. > > ### Credit > > Reported by Vedant Madane (@VedantMadane).