CVE-2026-31968
Received Received - Intake
Heap and Stack Buffer Overflow in HTSlib CRAM Encoding

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31968
EUVD
EUVD-2026-12942
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
htslib htslib to 1.21.1 (exc)
htslib htslib From 1.22 (inc) to 1.22.2 (exc)
htslib htslib 1.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in HTSlib, a library used for reading and writing bioinformatics file formats, specifically in the CRAM compressed format which stores DNA sequence alignment data. The issue arises from incomplete validation of the context in which the VARINT and CONST encodings are used. This can cause up to eight bytes to be written beyond the end of a heap allocation or overwrite a one-byte variable on the stack, potentially altering adjacent variables unexpectedly.

Depending on the data stream, this flaw can lead to either a heap buffer overflow or a stack overflow. If a user opens a specially crafted file exploiting this vulnerability, it could cause the program to crash, overwrite data structures on the heap or stack in unintended ways, or even change the program's control flow. This may allow an attacker to execute arbitrary code.

Versions 1.23.1, 1.22.2, and 1.21.1 of HTSlib include fixes for this issue, and there is no known workaround.

Impact Analysis

This vulnerability can impact you by causing the program using HTSlib to crash or behave unpredictably when processing maliciously crafted CRAM files. It can lead to memory corruption through heap or stack buffer overflows, which may overwrite important data structures.

More seriously, an attacker could exploit this flaw to alter the control flow of the program, potentially allowing arbitrary code execution. This means an attacker could run malicious code on your system with the privileges of the affected program, leading to data compromise, system instability, or further attacks.

Compliance Impact

I don't know

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade HTSlib to a fixed version. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes for this vulnerability.

There is no workaround available for this issue, so updating the software is essential to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31968. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart