Skip to main content

Htslib CVE-2026-31970

| EUVDEUVD-2026-12946 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-18 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 20:00 euvd
EUVD-2026-12946
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
CVE Published
Mar 18, 2026 - 19:53 nvd
HIGH 7.1

DescriptionGitHub Advisory

HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, bgzf_index_load_hfile(), it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any .gzi index files from untrusted sources, and use the bgzip -r option to recreate them.

AnalysisAI

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loading function bgzf_index_load_hfile(). An integer overflow during buffer allocation allows attackers to craft malicious .gzi files that trigger heap memory corruption, potentially leading to denial of service, data corruption, or remote code execution when a user opens the compromised file. No evidence of active exploitation in the wild has been reported, but the vulnerability is demonstrable and patch availability is confirmed.

Technical ContextAI

HTSlib is a widely-used C library for reading and writing bioinformatics file formats including SAM, BAM, CRAM, VCF, and BCF files. GZI files are companion index files for BGZF (block-compressed GZIP) compressed data, enabling efficient random access without decompressing entire files. The vulnerability exists in the GZI loading mechanism where an integer overflow in buffer size calculation (CWE-122: Heap-based Buffer Overflow) causes undersized or zero-length heap buffers to be allocated. The code then attempts to write 16 zero bytes followed by index records into this inadequately sized buffer, causing heap memory corruption. The affected CPE is cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:* for versions below the patched releases.

RemediationAI

Upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later depending on the release branch in use (https://github.com/samtools/htslib/commit/6dd0d7d0e9e7e2e173a28969e624db8bc8bb5828 contains the fix). For immediate mitigation without patching, discard any .gzi index files from untrusted sources and regenerate them locally using bgzip -r on trusted BAM or BGZF files; this prevents loading of malicious index files. Organizations should prioritize patching given the RCE potential, and conduct inventory of dependent tools (SAMtools, BCFtools, etc.) to ensure consistent version updates across the HTSlib ecosystem.

More in Htslib

View all
CVE-2018-13843 HIGH POC
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2017-1000206 CRITICAL
9.8 Nov 17

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p

CVE-2018-13845 CRITICAL
9.8 Jul 10

An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n

CVE-2026-31963 HIGH
8.8 Mar 18

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f

CVE-2026-31962 HIGH
8.8 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(

CVE-2026-31968 HIGH
8.8 Mar 18

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl

CVE-2018-14329 MEDIUM POC
4.7 Jul 17

In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att

CVE-2018-13844 HIGH
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2026-31971 HIGH
7.1 Mar 18

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf

CVE-2026-31969 HIGH
7.1 Mar 18

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s

CVE-2026-31964 MEDIUM
6.9 Mar 18

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference

CVE-2026-31965 MEDIUM
6.9 Mar 18

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer

Vendor StatusVendor

Debian

htslib
Release Status Fixed Version Urgency
bullseye vulnerable 1.11-4 -
bookworm vulnerable 1.16+ds-3 -
trixie vulnerable 1.21+ds-1 -
forky, sid vulnerable 1.22.1+ds2-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-31970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy