CVE-2026-31969
Heap Buffer Overflow in HTSlib CRAM BYTE_ARRAY_STOP Decoder
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31969 is a heap buffer overflow vulnerability in the HTSlib library, which is used for reading and writing bioinformatics file formats. The issue occurs in the CRAM decoder, specifically in the function cram_byte_array_stop_decode_char(), when processing data encoded with the BYTE_ARRAY_STOP method. An off-by-one error in the function's check for a full output buffer allows a single attacker-controlled byte to be written beyond the allocated heap buffer boundary."}, {'type': 'paragraph', 'content': 'This means that if a user opens a specially crafted CRAM file exploiting this bug, it could cause the program to crash or overwrite data and heap structures unexpectedly. In some cases, this could lead to arbitrary code execution.'}] [2]
How can this vulnerability impact me? :
The vulnerability can cause a program using HTSlib to crash or behave unpredictably by overwriting data and heap structures beyond their allocated boundaries.
More seriously, it may allow an attacker to execute arbitrary code by opening a specially crafted file, potentially compromising the system running the vulnerable software.
There is no workaround for this issue, so updating to patched versions (1.21.1, 1.22.2, or 1.23.1) is necessary to mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no direct detection method or specific commands provided in the available information to identify this vulnerability on a network or system.
Detection would typically involve verifying the version of the HTSlib library in use, as vulnerable versions are up to 1.21, 1.22, 1.22.1, and 1.23, while fixed versions are 1.21.1, 1.22.2, and 1.23.1.
A practical approach is to check the installed HTSlib version using commands like `htslib --version` or inspecting the package manager information depending on your system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade HTSlib to a patched version that addresses this vulnerability.
- Upgrade to HTSlib version 1.21.1, 1.22.2, or 1.23.1 or later.
There are no workarounds available for this issue, so applying the update is essential to prevent exploitation.
Avoid opening or processing untrusted or specially crafted CRAM files until the update is applied, as exploitation requires opening a malicious file.