Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the BYTE_ARRAY_LEN method, the cram_byte_array_len_decode() failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
AnalysisAI
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the cram_byte_array_len_decode() function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.
Technical ContextAI
HTSlib (cpe:2.3:a:samtools:htslib) is a C library providing core functionality for reading and writing bioinformatics file formats including SAM, BAM, and CRAM. CRAM is a compressed sequence alignment format that uses multiple encoding and compression strategies to reduce file size. The vulnerability resides in the BYTE_ARRAY_LEN decoding method within the CRAM decoder, where the cram_byte_array_len_decode() function processes variable-length byte arrays. The root cause is classified under CWE-121 (Stack-based Buffer Overflow) and related heap overflow patterns, stemming from insufficient input validation. The decoder reads a length field and unpacks data without verifying that the actual data size matches the declared size or the allocated buffer capacity, allowing malicious input to write beyond buffer boundaries.
RemediationAI
Immediately upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later depending on your release line, as detailed in the GitHub security advisory at https://github.com/samtools/htslib/security/advisories/GHSA-jvx4-4wq7-6fmh. The upstream patch is available at https://github.com/samtools/htslib/commit/01cd003b46fa2ebea4d9be5475b11217eb4c11be. No workaround exists for this vulnerability; patching is the only mitigation. For applications unable to patch immediately, implement strict input validation by refusing CRAM files from untrusted sources, sandboxing HTSlib-dependent processes using OS-level isolation (containers, seccomp), and monitoring for unexpected process termination or memory access patterns. Verify that all downstream tools and pipelines (samtools, GATK, etc.) are updated to use patched HTSlib versions.
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p
An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.11-4 | - |
| bookworm | vulnerable | 1.16+ds-3 | - |
| trixie | vulnerable | 1.21+ds-1 | - |
| forky, sid | vulnerable | 1.22.1+ds2-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12948