Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the cram_decode_compression_header() was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
AnalysisAI
SAMtools versions 1.17 and later contain a null pointer dereference vulnerability in the cram-size command due to missing error handling for the cram_decode_compression_header() function. When this function fails and returns an error, the code does not properly validate the return value before dereferencing the pointer, allowing an attacker to crash the application by providing a malformed CRAM file. This is a denial-of-service vulnerability with no active exploitation reported in the wild, though patches are available in versions 1.23.1, 1.22.2, and 1.21.1.
Technical ContextAI
SAMtools (cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:*) is a widely-used bioinformatics utility for manipulating sequence alignment map (SAM), BAM, and CRAM file formats. The vulnerability exists specifically in the cram-size subcommand, which analyzes CRAM file compression efficiency. The root cause is classified as CWE-476 (Null Pointer Dereference), which occurs when the cram_decode_compression_header() function encounters malformed CRAM file headers and returns an error condition. The vulnerable code path fails to check the function's return value before using the resulting pointer, leading to a dereference of a null or invalid memory address. CRAM is a reference-based compression format for genomic sequencing data, making SAMtools critical infrastructure in bioinformatics pipelines.
RemediationAI
Upgrade SAMtools to version 1.23.1, 1.22.2, or 1.21.1 or later, depending on your currently deployed version. The fix is implemented in commit 06fc2a219b3d7c94d3f412c09f6d1efd51199f2f, which adds proper error checking for the cram_decode_compression_header() function return value. No workaround exists for this issue, making patching mandatory. Users unable to upgrade immediately should restrict execution of the cram-size command to trusted administrators and validate all input CRAM files using alternative tools before processing them with SAMtools. Consult the GitHub security advisory at https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43 for detailed patch notes and deployment guidance.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12958