Executive Summary

This vulnerability exists in HTSlib, a library used for reading and writing bioinformatics file formats, specifically in the decoding of CRAM files which store DNA sequence alignment data. CRAM uses reference-based compression by storing positions in an external reference sequence along with differences. The vulnerability arises because the function `cram_decode_seq()` does not sufficiently validate the feature data series, allowing it to copy data from outside the valid reference boundaries—either before the start or after the end of the stored reference—into buffers used for output sequences or SAM MD tags.

This improper validation can lead to leaking arbitrary data from memory to the calling function, potentially exposing sensitive program state information. It can also cause program crashes due to invalid memory access. The issue has been fixed in versions 1.23.1, 1.22.2, and 1.21.1 by adding boundary checks and rejecting malformed CRAM data that could trigger these out-of-bounds accesses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing unintended information disclosure and program instability. Specifically, it may allow an attacker or malformed CRAM file to leak arbitrary data from the program's memory, potentially revealing sensitive information about the program's internal state.

Additionally, the vulnerability can cause the program to crash due to attempts to access invalid memory regions, leading to denial of service or disruption of bioinformatics workflows that rely on HTSlib for CRAM file processing.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability relates to malformed or malicious CRAM files processed by the HTSlib library, specifically during CRAM decoding. Detection involves identifying CRAM files that contain invalid or out-of-bounds reference positions or negative-length features in CIGAR operations.

While there are no direct network detection commands provided, you can detect potentially vulnerable CRAM files by attempting to decode them with a patched or updated version of HTSlib that includes the fixes. If the decoding process rejects files or triggers error handling due to invalid reference positions or negative-length features, this indicates the presence of malformed data that could exploit the vulnerability.

Suggested approach to detect problematic CRAM files on your system:

• Use the latest version of samtools or any tool that uses HTSlib (version 1.23.1 or later) to attempt to view or convert CRAM files.
• Run a command such as `samtools view file.cram` to decode the CRAM file. If the file is malformed (e.g., contains negative-length features or out-of-bounds reference positions), the decoding will fail or produce error messages.
• Monitor logs or error outputs for messages related to CRAM decoding failures or rejections.

No specific network scanning commands or signatures are provided in the resources, as the vulnerability is related to file parsing rather than network protocol behavior.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update HTSlib to a fixed version that includes the patches addressing CVE-2026-31966. Versions 1.23.1, 1.22.2, and 1.21.1 contain fixes that prevent out-of-bounds reads and reject malformed CRAM files.

Since there is no workaround for this issue, immediate actions include:

• Upgrade HTSlib to version 1.23.1 or later.
• Ensure all tools and pipelines that use HTSlib for CRAM file processing are updated accordingly.
• Avoid processing untrusted or suspicious CRAM files until the update is applied.

The patches add strict validation checks during CRAM decoding to reject files with negative-length features or out-of-bounds reference positions, preventing memory corruption or information leakage.

Useful 0 Not Useful 0