Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the cram_decode_slice() function called while reading CRAM records, validation of the reference id field occurred too late, allowing two out of bounds reads to occur before the invalid data was detected. The bug does allow two values to be leaked to the caller, however as the function reports an error it may be difficult to exploit them. It is also possible that the program will crash due to trying to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
AnalysisAI
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.
Technical ContextAI
HTSlib (samtools:htslib per CPE specification cpe:2.3:a:samtools:htslib) is a widely-used C library for parsing bioinformatics file formats including BAM, SAM, and CRAM. CRAM is a compressed columnar format designed for DNA sequence alignment data storage and transmission. The vulnerability resides in the cram_decode_slice() function, which processes individual slices within CRAM records. The root cause is classified under CWE-125 (Out-of-bounds Read), where the reference ID field validation occurs too late in the processing pipeline. This allows the code to perform two memory reads using an unvalidated reference ID value as an array index before the validation check occurs, creating a classic time-of-check-time-of-use (TOCTOU) style vulnerability in data format parsing.
RemediationAI
Upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later, depending on your currently deployed branch. The fix is confirmed in commit 9cefb46453ad471e933b8212d4f45920524d3357 available at https://github.com/samtools/htslib/commit/9cefb46453ad471e933b8212d4f45920524d3357. For applications and pipelines that depend on HTSlib (such as SAMtools), ensure all downstream tools are updated to versions that include the patched library. No functional workaround exists for this issue per the vendor statement, so patching is the only mitigation. Prioritize upgrading in environments that process CRAM files from untrusted sources or in multi-tenant bioinformatics platforms.
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p
An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.11-4 | - |
| bookworm | vulnerable | 1.16+ds-3 | - |
| trixie | vulnerable | 1.21+ds-1 | - |
| forky, sid | vulnerable | 1.22.1+ds2-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12934