Skip to main content

Htslib CVE-2026-31968

| EUVDEUVD-2026-12942 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-18 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 19:45 euvd
EUVD-2026-12942
Analysis Generated
Mar 18, 2026 - 19:45 vuln.today
CVE Published
Mar 18, 2026 - 19:38 nvd
HIGH 8.8

DescriptionGitHub Advisory

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the VARINT and CONST encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

AnalysisAI

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.

Technical ContextAI

HTSlib is a widely-used C library for parsing bioinformatics file formats, particularly CRAM (Compressed Reference-aligned Alignments Map), which is a space-efficient format for storing DNA sequence alignment data. CRAM employs multiple encoding schemes including VARINT (variable-length integer) and CONST (constant value) encodings to compress alignment blocks. The vulnerability (CWE-121: Stack-based Buffer Overflow) stems from insufficient validation of the encoding context before writing decoded data, allowing writes that extend beyond allocated buffer sizes. The affected product is specifically identified via CPE cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:* for all versions below the patched releases. The root cause involves the decoder not properly checking bounds or context constraints before committing decoded values to memory, a classic heap and stack buffer overflow scenario in C libraries.

RemediationAI

Immediately upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later depending on your currently deployed version line, as these releases contain the necessary fixes. Apply the patch commit 0ec436796eca7b4ce7fcc9b77270c102da29bb2e from the HTSlib repository (available at https://github.com/samtools/htslib/commit/0ec436796eca7b4ce7fcc9b77270c102da29bb2e). For applications embedding HTSlib, coordinate with upstream vendors for patched versions of dependent tools and re-link or recompile with the patched library. Until patching is possible, restrict file processing to files from trusted sources only and avoid processing CRAM files from untrusted repositories or external data sources. Implement strict file format validation at the application level and monitor for unexpected crashes or memory corruption issues in HTSlib-dependent services. There is no workaround available short of patching or avoiding CRAM format processing entirely.

More in Htslib

View all
CVE-2018-13843 HIGH POC
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2017-1000206 CRITICAL
9.8 Nov 17

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p

CVE-2018-13845 CRITICAL
9.8 Jul 10

An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n

CVE-2026-31963 HIGH
8.8 Mar 18

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f

CVE-2026-31962 HIGH
8.8 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(

CVE-2018-14329 MEDIUM POC
4.7 Jul 17

In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att

CVE-2018-13844 HIGH
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2026-31971 HIGH
7.1 Mar 18

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf

CVE-2026-31969 HIGH
7.1 Mar 18

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s

CVE-2026-31970 HIGH
7.1 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin

CVE-2026-31964 MEDIUM
6.9 Mar 18

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference

CVE-2026-31965 MEDIUM
6.9 Mar 18

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer

Vendor StatusVendor

Debian

htslib
Release Status Fixed Version Urgency
bullseye vulnerable 1.11-4 -
bookworm vulnerable 1.16+ds-3 -
trixie vulnerable 1.21+ds-1 -
forky, sid vulnerable 1.22.1+ds2-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-31968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy