CVE-2026-31964
NULL Pointer Dereference in HTSlib CRAM Encoding Components
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31964 is a vulnerability in the HTSlib library's CRAM decoder, which is used for reading and writing compressed DNA sequence alignment data. The CRAM format allows some records to omit sequence or quality data to save space, but these records still require processing of dummy data. The vulnerability occurs because the CONST, XPACK, and XRLE encodings in the decoder do not properly handle cases where the output pointer is NULL, leading to an attempt to write to a NULL pointer."}, {'type': 'paragraph', 'content': 'This results in a NULL pointer dereference, which typically causes the program to crash. The issue affects versions up to 1.21, 1.22, 1.22.1, and 1.23 of HTSlib and has been fixed in versions 1.21.1, 1.22.2, and 1.23.1. There are no known workarounds for this vulnerability.'}] [1]
How can this vulnerability impact me? :
Exploiting this vulnerability can cause the affected program using HTSlib to crash due to a NULL pointer dereference. This can lead to a denial of service condition where the software becomes unavailable or stops functioning properly.
The vulnerability does not directly compromise confidentiality but may allow low impact on integrity by potentially causing unauthorized modification of system data. The attack can be performed remotely without any privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a NULL pointer dereference in the HTSlib CRAM decoder, typically resulting in a program crash when decoding certain CRAM records with omitted sequence or quality data using the CONST, XPACK, or XRLE encodings.
Detection can involve monitoring for crashes or abnormal termination of programs using HTSlib to process CRAM files, especially if the files contain records with omitted sequence or quality data.
There are no specific commands or network detection signatures provided in the available information to detect exploitation attempts directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade HTSlib to a fixed version that addresses this vulnerability.
- Upgrade to HTSlib version 1.21.1, 1.22.2, or 1.23.1 or later, which include fixes for this issue.
There are no known workarounds for this vulnerability, so applying the patch is essential to prevent crashes caused by NULL pointer dereference.