CVE-2026-31968

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/samtools/htslib/commit/0ec436796eca7b4ce7fcc9b77270c102da29bb2e	Patch
https://github.com/samtools/htslib/security/advisories/GHSA-cgcm-c9r2-p57j	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib:1.23:::::::*

History

No history.

Information

Published : 2026-03-18 20:16

Updated : 2026-03-19 17:31

NVD link : CVE-2026-31968

Mitre link : CVE-2026-31968

CVE.ORG link : CVE-2026-31968

JSON object : View

Products Affected

htslib

htslib

CWE

CWE-121

Stack-based Buffer Overflow

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2026-31968", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T20:16:21.480", "references": [{"url": "https://github.com/samtools/htslib/commit/0ec436796eca7b4ce7fcc9b77270c102da29bb2e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/samtools/htslib/security/advisories/GHSA-cgcm-c9r2-p57j", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}, {"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinform\u00e1tica. CRAM es un formato comprimido que almacena datos de alineaci\u00f3n de secuencias de ADN utilizando una variedad de codificaciones y m\u00e9todos de compresi\u00f3n. Para las codificaciones 'VARINT' y 'CONST', la validaci\u00f3n incompleta del contexto en el que se utilizaron las codificaciones podr\u00eda resultar en la escritura de hasta ocho bytes m\u00e1s all\u00e1 del final de una asignaci\u00f3n de memoria en el mont\u00f3n, o en la escritura de hasta ocho bytes en la ubicaci\u00f3n de una variable de un byte en la pila, posiblemente causando que los valores de las variables adyacentes cambien inesperadamente. Dependiendo del flujo de datos, esto podr\u00eda resultar en un desbordamiento de b\u00fafer en el mont\u00f3n o un desbordamiento de pila. Si un usuario abre un archivo dise\u00f1ado para explotar este problema, podr\u00eda provocar el bloqueo del programa, la sobrescritura de estructuras de datos en el mont\u00f3n o la pila de formas no esperadas por el programa, o el cambio del flujo de control del programa. Podr\u00eda ser posible usar esto para obtener ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No existe una soluci\u00f3n alternativa para este problema."}], "lastModified": "2026-03-19T17:31:24.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288", "versionEndExcluding": "1.21.1"}, {"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C", "versionEndExcluding": "1.22.2", "versionStartIncluding": "1.22"}, {"criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}