Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the CONST, XPACK and XRLE encodings did not properly implement the interface needed to do this. Trying to decode records with omitted sequence or quality data using these encodings would result in an attempt to write to a NULL pointer. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
AnalysisAI
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.
Technical ContextAI
HTSlib is a C library used across bioinformatics pipelines to parse and manipulate sequence alignment formats including SAM, BAM, and CRAM. The CRAM format is a highly compressed alternative to BAM that uses various encoding schemes including CONST, XPACK, and XRLE to store DNA sequence and quality data. The CRAM specification allows certain alignment records to omit sequence and quality information to conserve space; these records still contain encoded data that must be consumed and discarded by the decoder. The root cause (CWE-476: NULL Pointer Dereference) occurs because the three vulnerable encodings did not properly implement the interface contract required to handle these omitted-data records, attempting to dereference NULL pointers during the discard operation. This affects HTSlib versions across the 1.21.x, 1.22.x, and 1.23.x release lines as identified by CPE cpe:2.3:a:samtools:htslib:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade HTSlib to version 1.21.1, 1.22.2, or 1.23.1 or later depending on your current release line. The patch is available via the official HTSlib repository (https://github.com/samtools/htslib/commit/e64e68da567d2309509d059ace016d5d7fc7514f). After upgrading HTSlib, rebuild any dependent applications (SAMtools, BCFtools, custom bioinformatics pipelines) that statically link or dynamically depend on the library. For organizations unable to immediately patch, implement input validation by rejecting or sandboxing processing of CRAM files with omitted sequence/quality records, and restrict HTSlib-based services to trusted data sources only. Enable crash logging and alerting on HTSlib-based processes to detect exploitation attempts. No functional workaround exists within HTSlib itself, so patching is mandatory.
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in p
An issue has been found in HTSlib 1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, n
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating f
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq(
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handl
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink att
An issue has been found in HTSlib 1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buf
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_s
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loadin
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the refer
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.11-4 | - |
| bookworm | vulnerable | 1.16+ds-3 | - |
| trixie | vulnerable | 1.21+ds-1 | - |
| forky, sid | vulnerable | 1.22.1+ds2-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12932