CVE-2026-31969
Received Received - Intake
Heap Buffer Overflow in HTSlib CRAM BYTE_ARRAY_STOP Decoder

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31969
EUVD
EUVD-2026-12944
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
htslib htslib to 1.21.1 (exc)
htslib htslib From 1.22 (inc) to 1.22.2 (exc)
htslib htslib 1.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31969 is a heap buffer overflow vulnerability in the HTSlib library, which is used for reading and writing bioinformatics file formats. The issue occurs in the CRAM decoder, specifically in the function cram_byte_array_stop_decode_char(), when processing data encoded with the BYTE_ARRAY_STOP method. An off-by-one error in the function's check for a full output buffer allows a single attacker-controlled byte to be written beyond the allocated heap buffer boundary."}, {'type': 'paragraph', 'content': 'This means that if a user opens a specially crafted CRAM file exploiting this bug, it could cause the program to crash or overwrite data and heap structures unexpectedly. In some cases, this could lead to arbitrary code execution.'}] [2]

Impact Analysis

The vulnerability can cause a program using HTSlib to crash or behave unpredictably by overwriting data and heap structures beyond their allocated boundaries.

More seriously, it may allow an attacker to execute arbitrary code by opening a specially crafted file, potentially compromising the system running the vulnerable software.

There is no workaround for this issue, so updating to patched versions (1.21.1, 1.22.2, or 1.23.1) is necessary to mitigate the risk.

Compliance Impact

I don't know

Detection Guidance

There is no direct detection method or specific commands provided in the available information to identify this vulnerability on a network or system.

Detection would typically involve verifying the version of the HTSlib library in use, as vulnerable versions are up to 1.21, 1.22, 1.22.1, and 1.23, while fixed versions are 1.21.1, 1.22.2, and 1.23.1.

A practical approach is to check the installed HTSlib version using commands like `htslib --version` or inspecting the package manager information depending on your system.

Mitigation Strategies

The primary mitigation step is to upgrade HTSlib to a patched version that addresses this vulnerability.

  • Upgrade to HTSlib version 1.21.1, 1.22.2, or 1.23.1 or later.

There are no workarounds available for this issue, so applying the update is essential to prevent exploitation.

Avoid opening or processing untrusted or specially crafted CRAM files until the update is applied, as exploitation requires opening a malicious file.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart