Skip to main content

Samtools CVE-2026-31972

| EUVDEUVD-2026-12956 MEDIUM
Use After Free (CWE-416)
2026-03-18 GitHub_M
Medium
Disputed · 6.9 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.21.1
EUVD ID Assigned
Mar 18, 2026 - 21:00 euvd
EUVD-2026-12956
Analysis Generated
Mar 18, 2026 - 21:00 vuln.today
CVE Published
Mar 18, 2026 - 20:32 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The mpileup command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.

AnalysisAI

SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.

Technical ContextAI

SAMtools is a bioinformatics utility suite used for processing DNA sequence alignment files (BAM/SAM formats). The mpileup command specifically reads aligned sequences and outputs them alongside reference sequence data obtained from a separate reference file. The vulnerability is rooted in CWE-416 (use-after-free), a memory safety defect where the reference data buffer is deallocated prematurely based on position ordering assumptions. When certain input conditions occur, the code attempts to access reference positions that have already been freed, causing the program to dereference invalid memory pointers. The affected product is identified by CPE cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:*, indicating all versions below the patched releases are in scope.

RemediationAI

Upgrade SAMtools to version 1.21.1 or 1.22 (or later) immediately, as these are the confirmed patched versions addressing this use-after-free condition. The fix is available in the upstream repository at commit 3036eb9af945fcef359427a2d359855553da4adf. No workaround is available for this vulnerability according to the official advisory, so patching is mandatory. For organizations unable to update immediately, restrict mpileup command execution to trusted, validated sequencing data sources and implement process isolation or containerization to limit the blast radius of potential crashes.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-31972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy