CVE-2026-31962
Heap Buffer Overflow in HTSlib CRAM Decoder Enables Code Execution
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31962 is a high-severity heap buffer overflow vulnerability in the HTSlib library's CRAM reader, which is used for reading and writing bioinformatics file formats. The CRAM format compresses DNA sequence alignment data and sometimes omits DNA sequence and quality values to save space, but still stores data that must be processed and discarded carefully."}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper input validation in the function cram_decode_seq(). This function mishandles certain CRAM records by reading one byte beyond the allocated heap buffer and then writing a single attacker-controlled byte to that out-of-bounds location, causing a heap buffer overflow.'}, {'type': 'paragraph', 'content': 'Exploiting this flaw can cause the program to crash or overwrite heap data structures unexpectedly, potentially enabling arbitrary code execution. The vulnerability requires no privileges, user interaction, or special attack conditions and can be exploited remotely via crafted CRAM files.'}] [1]
How can this vulnerability impact me? :
If you use HTSlib to process CRAM files, opening a specially crafted malicious CRAM file could cause your program to crash or behave unpredictably due to heap buffer overflow.
More seriously, this vulnerability could allow an attacker to overwrite data and heap structures in memory, potentially leading to arbitrary code execution on your system without requiring any privileges or user interaction.
This means an attacker could remotely exploit this vulnerability to execute malicious code, compromise system integrity, or disrupt availability of services that rely on HTSlib.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing specially crafted CRAM files with vulnerable versions of HTSlib (up to 1.23). Detection involves identifying usage of affected HTSlib versions and monitoring for crashes or abnormal behavior when handling CRAM files.
Since the vulnerability is triggered by opening malicious CRAM files, one detection approach is to check the version of HTSlib installed on your system to see if it is one of the vulnerable versions (prior to 1.21.1, 1.22.2, or 1.23.1).
Commands to detect vulnerable versions might include:
- htslib version check: Run `htslib --version` or check the version of the library in your bioinformatics tools.
- Package manager query: For example, `dpkg -l | grep htslib` on Debian-based systems or `rpm -qa | grep htslib` on RPM-based systems.
- Monitor logs or crash reports for programs using HTSlib that process CRAM files, as exploitation may cause crashes or heap corruption.
There are no specific network detection commands or signatures mentioned for detecting exploitation attempts, as the attack vector is opening crafted CRAM files locally or remotely.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade HTSlib to a fixed version that addresses this vulnerability.
- Update HTSlib to version 1.21.1, 1.22.2, 1.23.1 or later, as these versions include the fix for CVE-2026-31962.
There are no workarounds available for this issue, so patching is the only effective mitigation.
Additionally, avoid opening or processing untrusted or suspicious CRAM files with vulnerable versions of HTSlib to reduce risk until patched.