Skip to main content

Htslib CVE-2026-31966

| EUVDEUVD-2026-12936 MEDIUM
Out-of-bounds Read (CWE-125)
2026-03-18 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 19:30 euvd
EUVD-2026-12936
Analysis Generated
Mar 18, 2026 - 19:30 vuln.today
CVE Published
Mar 18, 2026 - 18:58 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding CRAM records, the reference data is stored in a char array, and parts matching the alignment record sequence are copied over as necessary. Due to insufficient validation of the feature data series, it was possible to make the cram_decode_seq() function copy data from either before the start, or after the end of the stored reference either into the buffer used to store the output sequence for the cram record, or into the buffer used to build the SAM MD tag. This allowed arbitrary data to be leaked to the calling function. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

AnalysisAI

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain a buffer over-read vulnerability in the CRAM decoder's cram_decode_seq() function that fails to properly validate feature data offsets. An attacker can craft malicious CRAM files to read arbitrary data from memory adjacent to reference sequence buffers, leading to information disclosure of program state or denial of service through memory access violations. No active exploitation has been documented, but patches are available from the vendor.

Technical ContextAI

HTSlib is a C library (CPE: cpe:2.3:a:samtools:htslib) used across bioinformatics workflows for reading and writing sequence alignment file formats including CRAM. CRAM achieves compression through reference-based encoding: instead of storing full DNA sequences, it stores reference coordinates and a series of 'features' that describe differences from the reference. During decoding, the cram_decode_seq() function copies reference data into output buffers based on feature offsets. The root cause is classified as CWE-125 (Out-of-bounds Read), stemming from insufficient validation of feature data boundaries before memory copy operations. This allows reads from memory locations before the start or after the end of the reference buffer, which can be written into either the sequence output buffer or the MD tag construction buffer.

RemediationAI

Upgrade HTSlib to version 1.23.1 or later (preferred), or to 1.22.2 if remaining on the 1.22.x line, or to 1.21.1 if constrained to the 1.21.x line. Consult https://github.com/samtools/htslib/security/advisories/GHSA-5cj8-mj52-8vp3 for patch details and https://github.com/samtools/htslib/commit/22ec5230ef95769ab009420da69568c7e530af28 and related commits for code changes. There is no documented workaround; patching is mandatory. In environments where rapid patching is infeasible, implement input validation by rejecting CRAM files from untrusted sources and consider using alternative formats pending patch deployment.

More in Htslib

View all
CVE-2018-13843 HIGH POC
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2017-1000206 CRITICAL
9.8 Nov 17

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p

CVE-2018-13845 CRITICAL
9.8 Jul 10

An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n

CVE-2026-31963 HIGH
8.8 Mar 18

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f

CVE-2026-31962 HIGH
8.8 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(

CVE-2026-31968 HIGH
8.8 Mar 18

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl

CVE-2018-14329 MEDIUM POC
4.7 Jul 17

In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att

CVE-2018-13844 HIGH
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2026-31971 HIGH
7.1 Mar 18

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf

CVE-2026-31969 HIGH
7.1 Mar 18

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s

CVE-2026-31970 HIGH
7.1 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin

CVE-2026-31964 MEDIUM
6.9 Mar 18

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference

Vendor StatusVendor

Debian

htslib
Release Status Fixed Version Urgency
bullseye vulnerable 1.11-4 -
bookworm vulnerable 1.16+ds-3 -
trixie vulnerable 1.21+ds-1 -
forky, sid vulnerable 1.22.1+ds2-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-31966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy