CVE-2026-31969

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/samtools/htslib/commit/88cdf69e4b83bb550ab4f6f7134892c2ad1978f4	Patch
https://github.com/samtools/htslib/security/advisories/GHSA-q4cj-f4h5-fqgc	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib::::::::
	cpe:2.3:a:htslib:htslib:1.23:::::::*

History

No history.

Information

Published : 2026-03-18 20:16

Updated : 2026-03-19 13:59

NVD link : CVE-2026-31969

Mitre link : CVE-2026-31969

CVE.ORG link : CVE-2026-31969

JSON object : View

Products Affected

htslib

htslib

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-31969", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T20:16:21.743", "references": [{"url": "https://github.com/samtools/htslib/commit/88cdf69e4b83bb550ab4f6f7134892c2ad1978f4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/samtools/htslib/security/advisories/GHSA-q4cj-f4h5-fqgc", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinform\u00e1ticos. CRAM es un formato comprimido que almacena datos de alineaci\u00f3n de secuencias de ADN utilizando una variedad de codificaciones y m\u00e9todos de compresi\u00f3n. Al leer datos codificados usando el m\u00e9todo 'BYTE_ARRAY_STOP', un error de uno de m\u00e1s en la comprobaci\u00f3n de la funci\u00f3n 'cram_byte_array_stop_decode_char()' para un b\u00fafer de salida lleno podr\u00eda resultar en que un solo byte controlado por el atacante se escriba m\u00e1s all\u00e1 del final de una asignaci\u00f3n de memoria din\u00e1mica. Explotar este error causa un desbordamiento de b\u00fafer de heap. Si un usuario abre un archivo dise\u00f1ado para explotar este problema, podr\u00eda llevar a que el programa falle, o a la sobrescritura de datos y estructuras de heap de maneras no esperadas por el programa. Podr\u00eda ser posible usar esto para obtener ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay soluci\u00f3n alternativa para este problema."}], "lastModified": "2026-03-19T13:59:56.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288", "versionEndExcluding": "1.21.1"}, {"criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C", "versionEndExcluding": "1.22.2", "versionStartIncluding": "1.22"}, {"criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}