CVE-2026-31962
Received Received - Intake
Heap Buffer Overflow in HTSlib CRAM Decoder Enables Code Execution

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31962
EUVD
EUVD-2026-12923
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
htslib htslib to 1.21.1 (exc)
htslib htslib From 1.22 (inc) to 1.22.2 (exc)
htslib htslib 1.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31962 is a high-severity heap buffer overflow vulnerability in the HTSlib library's CRAM reader, which is used for reading and writing bioinformatics file formats. The CRAM format compresses DNA sequence alignment data and sometimes omits DNA sequence and quality values to save space, but still stores data that must be processed and discarded carefully."}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper input validation in the function cram_decode_seq(). This function mishandles certain CRAM records by reading one byte beyond the allocated heap buffer and then writing a single attacker-controlled byte to that out-of-bounds location, causing a heap buffer overflow.'}, {'type': 'paragraph', 'content': 'Exploiting this flaw can cause the program to crash or overwrite heap data structures unexpectedly, potentially enabling arbitrary code execution. The vulnerability requires no privileges, user interaction, or special attack conditions and can be exploited remotely via crafted CRAM files.'}] [1]

Impact Analysis

If you use HTSlib to process CRAM files, opening a specially crafted malicious CRAM file could cause your program to crash or behave unpredictably due to heap buffer overflow.

More seriously, this vulnerability could allow an attacker to overwrite data and heap structures in memory, potentially leading to arbitrary code execution on your system without requiring any privileges or user interaction.

This means an attacker could remotely exploit this vulnerability to execute malicious code, compromise system integrity, or disrupt availability of services that rely on HTSlib.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from processing specially crafted CRAM files with vulnerable versions of HTSlib (up to 1.23). Detection involves identifying usage of affected HTSlib versions and monitoring for crashes or abnormal behavior when handling CRAM files.

Since the vulnerability is triggered by opening malicious CRAM files, one detection approach is to check the version of HTSlib installed on your system to see if it is one of the vulnerable versions (prior to 1.21.1, 1.22.2, or 1.23.1).

Commands to detect vulnerable versions might include:

  • htslib version check: Run `htslib --version` or check the version of the library in your bioinformatics tools.
  • Package manager query: For example, `dpkg -l | grep htslib` on Debian-based systems or `rpm -qa | grep htslib` on RPM-based systems.
  • Monitor logs or crash reports for programs using HTSlib that process CRAM files, as exploitation may cause crashes or heap corruption.

There are no specific network detection commands or signatures mentioned for detecting exploitation attempts, as the attack vector is opening crafted CRAM files locally or remotely.

Mitigation Strategies

The primary mitigation step is to upgrade HTSlib to a fixed version that addresses this vulnerability.

  • Update HTSlib to version 1.21.1, 1.22.2, 1.23.1 or later, as these versions include the fix for CVE-2026-31962.

There are no workarounds available for this issue, so patching is the only effective mitigation.

Additionally, avoid opening or processing untrusted or suspicious CRAM files with vulnerable versions of HTSlib to reduce risk until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart