CVE-2026-31970
Received Received - Intake
Heap Buffer Overflow in HTSlib GZI Index Loading Allows Code Execution

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31970
EUVD
EUVD-2026-12946
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
htslib htslib From 1.22 (inc) to 1.22.2 (exc)
htslib htslib 1.23
htslib htslib to 1.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-31970 is a vulnerability in the HTSlib library, specifically in the function bgzf_index_load_hfile() which reads GZI index files used for block-compressed GZIP (BGZF) files. The issue arises from an integer overflow when calculating the size of a buffer to store the index. This overflow can cause the program to allocate a buffer that is too small or even zero-sized.

After this incorrect allocation, the function writes sixteen zero bytes into the buffer, which leads to a heap buffer overflow. Depending on the overflow, additional file data may also be loaded into this improperly sized buffer. Eventually, the function fails to read the expected number of records and attempts to free the corrupted buffer, which can cause crashes or memory corruption.

This vulnerability can be exploited by crafting malicious GZI files that trigger the overflow, potentially allowing an attacker to cause program crashes, data corruption, or even execute arbitrary code.


How can this vulnerability impact me? :

If you use HTSlib to process GZI index files, this vulnerability can be exploited by an attacker who provides a specially crafted malicious GZI file.

  • It can cause the program to crash unexpectedly.
  • It can lead to corruption or overwriting of heap memory and data structures.
  • In some cases, it may allow an attacker to execute arbitrary code on the affected system.

The vulnerability requires no privileges and can be triggered remotely by opening a malicious file, making it a significant security risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises from processing crafted .gzi index files with the HTSlib library, specifically in the function bgzf_index_load_hfile(). Detection involves identifying usage of vulnerable HTSlib versions (up to 1.21, 1.22, 1.22.1, and 1.23) and monitoring for crashes or abnormal behavior when loading .gzi files.

Since the vulnerability is triggered by opening malicious .gzi files, one detection approach is to check for the presence of untrusted or suspicious .gzi files on your system.

No specific commands are provided in the available resources to detect exploitation attempts or scan for vulnerable files automatically.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to discard any .gzi index files from untrusted sources.

You should regenerate .gzi index files using the bgzip tool with the -r option to ensure safe and correct index files.

Additionally, update HTSlib to a fixed version: 1.21.1, 1.22.2, or 1.23.1 or later, which include patches preventing the integer overflow and heap buffer overflow.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart