Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, bgzf_index_load_hfile(), it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any .gzi index files from untrusted sources, and use the bgzip -r option to recreate them.
AnalysisAI
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loading function bgzf_index_load_hfile(). An integer overflow during buffer allocation allows attackers to craft malicious .gzi files that trigger heap memory corruption, potentially leading to denial of service, data corruption, or remote code execution when a user opens the compromised file. No evidence of active exploitation in the wild has been reported, but the vulnerability is demonstrable and patch availability is confirmed.
Technical ContextAI
HTSlib is a widely-used C library for reading and writing bioinformatics file formats including SAM, BAM, CRAM, VCF, and BCF files. GZI files are companion index files for BGZF (block-compressed GZIP) compressed data, enabling efficient random access without decompressing entire files. The vulnerability exists in the GZI loading mechanism where an integer overflow in buffer size calculation (CWE-122: Heap-based Buffer Overflow) causes undersized or zero-length heap buffers to be allocated. The code then attempts to write 16 zero bytes followed by index records into this inadequately sized buffer, causing heap memory corruption. The affected CPE is cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:* for versions below the patched releases.
RemediationAI
Upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later depending on the release branch in use (https://github.com/samtools/htslib/commit/6dd0d7d0e9e7e2e173a28969e624db8bc8bb5828 contains the fix). For immediate mitigation without patching, discard any .gzi index files from untrusted sources and regenerate them locally using bgzip -r on trusted BAM or BGZF files; this prevents loading of malicious index files. Organizations should prioritize patching given the RCE potential, and conduct inventory of dependent tools (SAMtools, BCFtools, etc.) to ensure consistent version updates across the HTSlib ecosystem.
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p
An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.11-4 | - |
| bookworm | vulnerable | 1.16+ds-3 | - |
| trixie | vulnerable | 1.21+ds-1 | - |
| forky, sid | vulnerable | 1.22.1+ds2-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12946