CVE-2026-31965
Out-of-Bounds Read in HTSlib CRAM Causes Potential Crash
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31965 is a moderate severity vulnerability in HTSlib, a library used for reading and writing bioinformatics file formats, specifically affecting the CRAM compressed DNA sequence alignment format.
The issue occurs in the `cram_decode_slice()` function during CRAM record reading, where the validation of the reference ID field is performed too late. This improper validation leads to two out-of-bounds reads before the invalid data is detected.
The vulnerability allows leakage of two values to the caller, though exploitation is challenging since the function reports an error upon detection. Additionally, the bug may cause program crashes due to invalid memory access.
Affected HTSlib versions include 1.21, 1.22, 1.22.1, and 1.23. Fixed versions are 1.21.1, 1.22.2, and 1.23.1. No workarounds exist for this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by causing leakage of two values from memory due to out-of-bounds reads, potentially exposing sensitive data.
It may also cause the affected program to crash because of invalid memory access, leading to availability issues.
- Confidentiality Impact: Low (leakage of two values)
- Integrity Impact: null
- Availability Impact: Low (possible crashes)
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs during the reading of CRAM files by the HTSlib library, specifically in the cram_decode_slice() function when processing CRAM records with invalid reference IDs.
Detection can involve monitoring for program crashes or errors related to CRAM file processing, as the function reports an error upon detecting invalid reference IDs and may cause crashes due to out-of-bounds reads.
Since the vulnerability is in a library function, direct network detection commands are not specified. However, you can check the version of HTSlib installed on your system to determine if it is vulnerable.
- Run the command `htslib --version` or check the version of the software using HTSlib to verify if it is older than 1.21.1, 1.22.2, or 1.23.1, which contain the fixes.
- Monitor logs or outputs of bioinformatics tools that use HTSlib for errors or crashes when processing CRAM files.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update HTSlib to a fixed version that addresses this vulnerability.
- Upgrade HTSlib to version 1.21.1, 1.22.2, or 1.23.1 or later, as these versions include the necessary validation checks to prevent the out-of-bounds reads.
There are no workarounds available for this issue, so applying the update is essential.
Additionally, ensure that any software depending on HTSlib is also updated to use the patched library versions.