CVE-2026-31971
Heap and Stack Buffer Overflow in HTSlib CRAM Decoder
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| htslib | htslib | to 1.21.1 (exc) |
| htslib | htslib | From 1.22 (inc) to 1.22.2 (exc) |
| htslib | htslib | 1.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify exploitation of CVE-2026-31971 on a network or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-31971, you should upgrade HTSlib to a fixed version. The vulnerability is patched in versions 1.21.1, 1.22.2, and 1.23.1.
There are no workarounds available for this issue, so applying the update is the only effective mitigation.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31971 is a vulnerability in the HTSlib library, specifically in the CRAM decoder component that reads compressed DNA sequence alignment data. The issue occurs in the function cram_byte_array_len_decode() when processing data encoded with the BYTE_ARRAY_LEN method. This function fails to properly validate that the amount of data being unpacked matches the size of the output buffer, which can lead to buffer overruns.'}, {'type': 'paragraph', 'content': "Because the decoder does not check if the decoded length exceeds the allocated buffer size, it can cause either a heap or stack buffer overflow with attacker-controlled data. This means that if a specially crafted file is opened, it could cause the program to crash, overwrite important data structures unexpectedly, or even change the program's control flow, potentially allowing arbitrary code execution."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding explicit checks to detect overruns and adjusting buffer size calculations to ensure safe decoding of byte arrays.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts if exploited. An attacker can craft a malicious CRAM file that, when processed by the vulnerable HTSlib library, causes a heap or stack buffer overflow.
The consequences include program crashes, unexpected overwriting of data structures in memory, and potentially arbitrary code execution. This means an attacker could execute malicious code on the system running the vulnerable software without needing any privileges or user interaction.
Such impacts can lead to denial of service, data corruption, or compromise of the affected system.