CVE-2026-31962 in htslib
Summary
by MITRE • 03/18/2026
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-31962 affects HTSlib, a widely-used library for handling bioinformatics file formats including the CRAM format for compressed DNA sequence alignment data. This library serves as a critical component in genomics research and clinical applications where accurate processing of genetic data is paramount. The CRAM format specifically allows for the omission of DNA sequence and quality values in certain records to optimize storage space, creating a complex data handling scenario that requires careful memory management. The flaw manifests in the `cram_decode_seq()` function which improperly manages memory operations when processing these special records that contain data requiring consumption and subsequent discarding. This particular implementation fails to properly account for the memory boundaries when handling these specific CRAM records, leading to a dangerous memory access pattern.
The technical implementation of this vulnerability creates a heap buffer overflow condition through a specific sequence of memory operations that violate fundamental safety principles. The function reads a single byte from beyond the allocated heap memory boundary, followed immediately by writing an attacker-controlled byte to the same memory location. This dual operation creates a precise memory corruption scenario that can be exploited to manipulate heap structures and potentially achieve arbitrary code execution. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, though the specific manifestation occurs in heap memory management. The attack vector requires a maliciously crafted CRAM file that triggers the specific code path in `cram_decode_seq()` when processing records with omitted sequence data. The memory corruption affects heap metadata and can lead to program crashes or more severe exploitation outcomes.
The operational impact of this vulnerability extends beyond simple program instability to potentially enable remote code execution in applications that process untrusted CRAM files. Given that HTSlib is integrated into numerous bioinformatics tools and platforms, a successful exploitation could compromise research data integrity and system security across the genomics community. The vulnerability affects multiple versions including 1.23.1, 1.22.2, and 1.21.1, indicating this is a significant issue requiring immediate attention from system administrators and security teams. Applications using HTSlib for processing CRAM files, particularly those handling external or untrusted data sources, face elevated risk. The lack of a workaround means that organizations cannot protect themselves through configuration changes or temporary patches, making this vulnerability particularly dangerous.
Mitigation efforts should focus on immediate version upgrades to patched releases of HTSlib, specifically versions 1.23.1, 1.22.2, and 1.21.1 which contain the necessary fixes for this heap buffer overflow condition. Security teams should conduct comprehensive vulnerability assessments across all systems utilizing HTSlib components, particularly those processing genomic data from external sources. The vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as exploitation could enable attackers to execute arbitrary code on affected systems. Organizations should implement strict file validation procedures for CRAM files and consider sandboxing operations involving bioinformatics file processing. Regular security updates and monitoring for similar memory corruption vulnerabilities in related libraries should be prioritized, as this flaw demonstrates the critical need for robust memory management in scientific computing libraries that handle complex data formats.