CVE-2026-31971
Received Received - Intake
Heap and Stack Buffer Overflow in HTSlib CRAM Decoder

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31971
EUVD
EUVD-2026-12948
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
htslib htslib to 1.21.1 (exc)
htslib htslib From 1.22 (inc) to 1.22.2 (exc)
htslib htslib 1.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

There is no specific detection method or commands provided in the available information to identify exploitation of CVE-2026-31971 on a network or system.

Mitigation Strategies

To mitigate CVE-2026-31971, you should upgrade HTSlib to a fixed version. The vulnerability is patched in versions 1.21.1, 1.22.2, and 1.23.1.

There are no workarounds available for this issue, so applying the update is the only effective mitigation.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31971 is a vulnerability in the HTSlib library, specifically in the CRAM decoder component that reads compressed DNA sequence alignment data. The issue occurs in the function cram_byte_array_len_decode() when processing data encoded with the BYTE_ARRAY_LEN method. This function fails to properly validate that the amount of data being unpacked matches the size of the output buffer, which can lead to buffer overruns.'}, {'type': 'paragraph', 'content': "Because the decoder does not check if the decoded length exceeds the allocated buffer size, it can cause either a heap or stack buffer overflow with attacker-controlled data. This means that if a specially crafted file is opened, it could cause the program to crash, overwrite important data structures unexpectedly, or even change the program's control flow, potentially allowing arbitrary code execution."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding explicit checks to detect overruns and adjusting buffer size calculations to ensure safe decoding of byte arrays.'}] [1, 2]

Impact Analysis

This vulnerability can have serious impacts if exploited. An attacker can craft a malicious CRAM file that, when processed by the vulnerable HTSlib library, causes a heap or stack buffer overflow.

The consequences include program crashes, unexpected overwriting of data structures in memory, and potentially arbitrary code execution. This means an attacker could execute malicious code on the system running the vulnerable software without needing any privileges or user interaction.

Such impacts can lead to denial of service, data corruption, or compromise of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31971. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart