Skip to main content

Htslib CVE-2026-31971

| EUVDEUVD-2026-12948 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-18 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 20:00 euvd
EUVD-2026-12948
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
CVE Published
Mar 18, 2026 - 19:55 nvd
HIGH 7.1

DescriptionGitHub Advisory

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the BYTE_ARRAY_LEN method, the cram_byte_array_len_decode() failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

AnalysisAI

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the cram_byte_array_len_decode() function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.

Technical ContextAI

HTSlib (cpe:2.3:a:samtools:htslib) is a C library providing core functionality for reading and writing bioinformatics file formats including SAM, BAM, and CRAM. CRAM is a compressed sequence alignment format that uses multiple encoding and compression strategies to reduce file size. The vulnerability resides in the BYTE_ARRAY_LEN decoding method within the CRAM decoder, where the cram_byte_array_len_decode() function processes variable-length byte arrays. The root cause is classified under CWE-121 (Stack-based Buffer Overflow) and related heap overflow patterns, stemming from insufficient input validation. The decoder reads a length field and unpacks data without verifying that the actual data size matches the declared size or the allocated buffer capacity, allowing malicious input to write beyond buffer boundaries.

RemediationAI

Immediately upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 or later depending on your release line, as detailed in the GitHub security advisory at https://github.com/samtools/htslib/security/advisories/GHSA-jvx4-4wq7-6fmh. The upstream patch is available at https://github.com/samtools/htslib/commit/01cd003b46fa2ebea4d9be5475b11217eb4c11be. No workaround exists for this vulnerability; patching is the only mitigation. For applications unable to patch immediately, implement strict input validation by refusing CRAM files from untrusted sources, sandboxing HTSlib-dependent processes using OS-level isolation (containers, seccomp), and monitoring for unexpected process termination or memory access patterns. Verify that all downstream tools and pipelines (samtools, GATK, etc.) are updated to use patched HTSlib versions.

More in Htslib

View all
CVE-2018-13843 HIGH POC
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2017-1000206 CRITICAL
9.8 Nov 17

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p

CVE-2018-13845 CRITICAL
9.8 Jul 10

An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n

CVE-2026-31963 HIGH
8.8 Mar 18

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f

CVE-2026-31962 HIGH
8.8 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(

CVE-2026-31968 HIGH
8.8 Mar 18

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl

CVE-2018-14329 MEDIUM POC
4.7 Jul 17

In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att

CVE-2018-13844 HIGH
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2026-31969 HIGH
7.1 Mar 18

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s

CVE-2026-31970 HIGH
7.1 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin

CVE-2026-31964 MEDIUM
6.9 Mar 18

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference

CVE-2026-31965 MEDIUM
6.9 Mar 18

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer

Vendor StatusVendor

Debian

htslib
Release Status Fixed Version Urgency
bullseye vulnerable 1.11-4 -
bookworm vulnerable 1.16+ds-3 -
trixie vulnerable 1.21+ds-1 -
forky, sid vulnerable 1.22.1+ds2-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-31971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy