Skip to main content

Htslib EUVDEUVD-2026-12923

| CVE-2026-31962 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-18 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Red Hat
7.3 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:15 euvd
EUVD-2026-12923
Analysis Generated
Mar 18, 2026 - 18:15 vuln.today
CVE Published
Mar 18, 2026 - 18:08 nvd
HIGH 8.8

DescriptionGitHub Advisory

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the cram_decode_seq() did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

AnalysisAI

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.

Technical ContextAI

HTSlib is a C library for reading and writing bioinformatics file formats including SAM, BAM, and CRAM. CRAM is a compressed sequence alignment format that optimizes storage by allowing alignment records to omit DNA sequence and quality value data in certain contexts. However, the CRAM specification requires that even omitted data be present in the file stream and must be consumed and discarded during parsing. The vulnerability exists in the cram_decode_seq() function (CWE-122: Heap-based Buffer Overflow), where improper handling of these omitted-but-present data fields causes a single-byte read beyond allocated heap bounds, followed by a write of attacker-controlled data to that same out-of-bounds location. HTSlib is widely used in genomics pipelines and research workflows (CPE: cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:*).

RemediationAI

Immediately upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1 depending on your active release branch (see https://github.com/samtools/htslib/security/advisories/GHSA-xxmp-v7h3-gpwp for details). The fix has been implemented in commit d799b54c6401879187bba4741be83ff590ac73e3 and addresses the incorrect data consumption logic in cram_decode_seq(). If immediate patching is not feasible, restrict file input to CRAM files from trusted, verified sources and implement file integrity validation (e.g., cryptographic signatures) at ingestion points in your bioinformatics pipeline. Avoid processing CRAM files from untrusted or internet-sourced repositories until patching is complete. No functional workaround exists that does not involve disabling CRAM format support or upgrading HTSlib.

More in Htslib

View all
CVE-2018-13843 HIGH POC
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2017-1000206 CRITICAL
9.8 Nov 17

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p

CVE-2018-13845 CRITICAL
9.8 Jul 10

An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n

CVE-2026-31963 HIGH
8.8 Mar 18

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f

CVE-2026-31968 HIGH
8.8 Mar 18

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl

CVE-2018-14329 MEDIUM POC
4.7 Jul 17

In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att

CVE-2018-13844 HIGH
7.5 Jul 10

An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2026-31971 HIGH
7.1 Mar 18

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf

CVE-2026-31969 HIGH
7.1 Mar 18

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s

CVE-2026-31970 HIGH
7.1 Mar 18

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin

CVE-2026-31964 MEDIUM
6.9 Mar 18

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference

CVE-2026-31965 MEDIUM
6.9 Mar 18

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer

Vendor StatusVendor

Debian

htslib
Release Status Fixed Version Urgency
bullseye vulnerable 1.11-4 -
bookworm vulnerable 1.16+ds-3 -
trixie vulnerable 1.21+ds-1 -
forky, sid vulnerable 1.22.1+ds2-1 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-12923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy