CVE-2026-31963
Heap Buffer Overflow in HTSlib CRAM Decoder Enables Code Execution
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HTSlib, a library used for reading and writing bioinformatics file formats, specifically in the handling of CRAM files which store DNA sequence alignment data.
CRAM uses reference-based compression by storing locations in an external reference sequence along with differences as features. The vulnerability is an out-by-one error when decoding these features that appear beyond the end of the CRAM record sequence.
This error can cause an invalid write of one attacker-controlled byte beyond the end of a heap buffer, leading to a heap buffer overflow.
If a user opens a specially crafted file exploiting this bug, it could cause the program to crash or overwrite data and heap structures unexpectedly, potentially allowing arbitrary code execution.
How can this vulnerability impact me? :
Exploiting this vulnerability can cause the affected program to crash or behave unpredictably due to heap buffer overflow.
More seriously, it may allow an attacker to execute arbitrary code on the system running the vulnerable HTSlib version if they can supply a crafted CRAM file.
This could lead to unauthorized control over the system, data corruption, or other security breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing specially crafted CRAM files with out-of-bounds feature positions during decoding in HTSlib. Detection involves identifying usage of vulnerable HTSlib versions (prior to 1.23.1, 1.22.2, or 1.21.1) and monitoring for crashes or abnormal behavior when decoding CRAM files.
There are no specific network detection commands provided, but you can check the HTSlib version installed on your system using commands like:
- htslib version (if available via command line, e.g., `htsfile --version` or `samtools --version` if linked against HTSlib)
- Check package manager versions, e.g., `dpkg -l | grep htslib` on Debian-based systems or `rpm -qa | grep htslib` on RPM-based systems
Additionally, monitoring application logs for errors related to CRAM decoding or unexpected crashes when processing CRAM files may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade HTSlib to a fixed version: 1.23.1, 1.22.2, or 1.21.1 or later, which include patches that properly validate CRAM feature positions and prevent out-of-bounds writes.
There is no workaround for this issue, so applying the update is critical to prevent potential heap buffer overflow exploitation.
Avoid opening or processing untrusted or suspicious CRAM files until the update is applied.