Is Htslib affected by EUVD-2026-12938?

Organizations using HTSlib should be aware of notable risk from CVE-2026-31967, a out-of-bounds read vulnerability rated CVSS 6.9. Exploitation could cause memory corruption or application crashes. Organizations should apply vendor updates when available and monitor for exploitation.

EUVD-2026-12938

| CVE-2026-31967 MEDIUM

2026-03-18 GitHub_M

6.9

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 18, 2026 - 19:30 vuln.today

EUVD ID Assigned

Mar 18, 2026 - 19:30 euvd

EUVD-2026-12938

CVE Published

Mar 18, 2026 - 19:15 nvd

MEDIUM 6.9

Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

Analysis

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain an out-of-bounds read vulnerability in the CRAM file parser where the mate reference ID field is not validated during decoding. An attacker can craft a malicious CRAM file that, when processed by affected applications (particularly those converting CRAM to SAM format), triggers out-of-bounds array access that may leak sensitive information about program state or cause a denial of service through memory access violations. …

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +34

POC: 0

Vendor Status

Debian

htslib

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1.11-4	-
bookworm	vulnerable	1.16+ds-3	-
trixie	vulnerable	1.21+ds-1	-
forky, sid	vulnerable	1.22.1+ds2-1	-
(unstable)	fixed	(unfixed)	-

EUVD-2026-12938 vulnerability details – vuln.today

Back

EUVD-2026-12938

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Debian

Share

EUVD-2026-12938

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code