Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
AnalysisAI
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.
Technical ContextAI
HTSlib (samtools:htslib) is a widely-used C library for reading and writing bioinformatics data formats, including CRAM—a reference-based compression format for DNA sequence alignment data. CRAM reduces file size by storing only differences (features) relative to external reference sequences rather than full sequence data. The vulnerability stems from a CWE-122 (Heap-based Buffer Overflow) condition in the feature decoding logic: when HTSlib processes CRAM feature records, it performs a boundary check to ensure features do not extend beyond the sequence extent. An off-by-one error in this test allows a single attacker-controlled byte to be written one position past the allocated heap buffer's end. The affected CPE is cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:* for versions prior to the patched releases.
RemediationAI
Immediately upgrade HTSlib to version 1.23.1, 1.22.2 (for the 1.22.x branch), or 1.21.1 (for the 1.21.x branch) or later. The patch is available via the official GitHub repository at https://github.com/samtools/htslib/commit/8bcc9907be0f945ddc31796d64f078fa05456acd. There is no documented workaround for this vulnerability; patching is the only mitigation. Organizations unable to patch immediately should restrict access to CRAM file processing infrastructure, validate CRAM file sources before processing, and implement application sandboxing or containerization to limit the impact of potential code execution. Automated dependency scanning should be configured to detect unpatched HTSlib versions in bioinformatics environments.
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p
An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.11-4 | - |
| bookworm | vulnerable | 1.16+ds-3 | - |
| trixie | vulnerable | 1.21+ds-1 | - |
| forky, sid | vulnerable | 1.22.1+ds2-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12930