CVE-2026-31962

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/samtools/htslib/commit/d799b54c6401879187bba4741be83ff590ac73e3	Patch
https://github.com/samtools/htslib/security/advisories/GHSA-xxmp-v7h3-gpwp	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib:1.23:::::::*

History

No history.

Information

Published : 2026-03-18 18:16

Updated : 2026-03-19 17:30

NVD link : CVE-2026-31962

Mitre link : CVE-2026-31962

CVE.ORG link : CVE-2026-31962

JSON object : View

Products Affected

htslib

htslib

CWE

CWE-122

Heap-based Buffer Overflow

CWE-125

Out-of-bounds Read

CWE-129

Improper Validation of Array Index

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-31962", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T18:16:28.190", "references": [{"url": "https://github.com/samtools/htslib/commit/d799b54c6401879187bba4741be83ff590ac73e3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/samtools/htslib/security/advisories/GHSA-xxmp-v7h3-gpwp", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-129"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinform\u00e1ticos. CRAM es un formato comprimido que almacena datos de alineaci\u00f3n de secuencias de ADN. Si bien la mayor\u00eda de los registros de alineaci\u00f3n almacenan valores de secuencia de ADN y de calidad, el formato tambi\u00e9n permite omitir estos datos en ciertos casos para ahorrar espacio. Debido a algunas peculiaridades del formato CRAM, es necesario manejar estos registros con cuidado, ya que en realidad almacenar\u00e1n datos que deben ser consumidos y luego descartados. Desafortunadamente, `cram_decode_seq()` no manej\u00f3 esto correctamente en algunos casos. Donde esto ocurri\u00f3, podr\u00eda resultar en la lectura de un solo byte m\u00e1s all\u00e1 del final de una asignaci\u00f3n de mont\u00f3n, seguido de la escritura de un solo byte controlado por el atacante en la misma ubicaci\u00f3n. Explotar este error causa un desbordamiento de b\u00fafer de mont\u00f3n. Si un usuario abre un archivo dise\u00f1ado para explotar este problema, podr\u00eda provocar el bloqueo del programa o la sobrescritura de datos y estructuras de mont\u00f3n de formas no esperadas por el programa. Podr\u00eda ser posible usar esto para obtener ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una soluci\u00f3n alternativa para este problema."}], "lastModified": "2026-03-19T17:30:45.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288", "versionEndExcluding": "1.21.1"}, {"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C", "versionEndExcluding": "1.22.2", "versionStartIncluding": "1.22"}, {"criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}