CVE-2026-31966
Buffer Overflow in HTSlib CRAM Decoder Causes Data Leak
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to malformed or malicious CRAM files processed by the HTSlib library, specifically during CRAM decoding. Detection involves identifying CRAM files that contain invalid or out-of-bounds reference positions or negative-length features in CIGAR operations.
While there are no direct network detection commands provided, you can detect potentially vulnerable CRAM files by attempting to decode them with a patched or updated version of HTSlib that includes the fixes. If the decoding process rejects files or triggers error handling due to invalid reference positions or negative-length features, this indicates the presence of malformed data that could exploit the vulnerability.
Suggested approach to detect problematic CRAM files on your system:
- Use the latest version of samtools or any tool that uses HTSlib (version 1.23.1 or later) to attempt to view or convert CRAM files.
- Run a command such as `samtools view file.cram` to decode the CRAM file. If the file is malformed (e.g., contains negative-length features or out-of-bounds reference positions), the decoding will fail or produce error messages.
- Monitor logs or error outputs for messages related to CRAM decoding failures or rejections.
No specific network scanning commands or signatures are provided in the resources, as the vulnerability is related to file parsing rather than network protocol behavior.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update HTSlib to a fixed version that includes the patches addressing CVE-2026-31966. Versions 1.23.1, 1.22.2, and 1.21.1 contain fixes that prevent out-of-bounds reads and reject malformed CRAM files.
Since there is no workaround for this issue, immediate actions include:
- Upgrade HTSlib to version 1.23.1 or later.
- Ensure all tools and pipelines that use HTSlib for CRAM file processing are updated accordingly.
- Avoid processing untrusted or suspicious CRAM files until the update is applied.
The patches add strict validation checks during CRAM decoding to reject files with negative-length features or out-of-bounds reference positions, preventing memory corruption or information leakage.
Can you explain this vulnerability to me?
This vulnerability exists in HTSlib, a library used for reading and writing bioinformatics file formats, specifically in the decoding of CRAM files which store DNA sequence alignment data. CRAM uses reference-based compression by storing positions in an external reference sequence along with differences. The vulnerability arises because the function `cram_decode_seq()` does not sufficiently validate the feature data series, allowing it to copy data from outside the valid reference boundariesβeither before the start or after the end of the stored referenceβinto buffers used for output sequences or SAM MD tags.
This improper validation can lead to leaking arbitrary data from memory to the calling function, potentially exposing sensitive program state information. It can also cause program crashes due to invalid memory access. The issue has been fixed in versions 1.23.1, 1.22.2, and 1.21.1 by adding boundary checks and rejecting malformed CRAM data that could trigger these out-of-bounds accesses.
How can this vulnerability impact me? :
This vulnerability can impact you by causing unintended information disclosure and program instability. Specifically, it may allow an attacker or malformed CRAM file to leak arbitrary data from the program's memory, potentially revealing sensitive information about the program's internal state.
Additionally, the vulnerability can cause the program to crash due to attempts to access invalid memory regions, leading to denial of service or disruption of bioinformatics workflows that rely on HTSlib for CRAM file processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know