CVE-2026-31963 in htslib
Summary
by MITRE • 03/18/2026
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-31963 affects HTSlib, a widely-used library for handling bioinformatics file formats including the CRAM compression format that stores DNA sequence alignment data. This library serves as a critical component in genomic research and clinical diagnostics, processing vast amounts of sequence data that are essential for medical and scientific applications. The CRAM format employs reference-based compression techniques to minimize storage requirements, where each alignment record stores only the location within a reference sequence along with a series of features representing differences from that reference. This approach significantly reduces file sizes while maintaining data integrity for genomic analysis workflows.
The technical flaw manifests as an out-by-one error in the feature decoding process within the CRAM implementation, specifically in how the software validates features that extend beyond the boundaries of CRAM record sequences. This seemingly minor arithmetic error creates a condition where an attacker-controlled byte can be written one position beyond the allocated heap buffer boundaries. The vulnerability stems from inadequate bounds checking during the processing of CRAM features, where the validation logic fails to properly account for the exact boundary conditions of the data structures involved. This type of flaw falls under CWE-129, which specifically addresses insufficient validation of length of buffers, and represents a classic heap buffer overflow vulnerability that can be exploited through improper input handling.
The operational impact of this vulnerability extends beyond simple program crashes to potentially enable arbitrary code execution, making it particularly dangerous in environments where HTSlib processes untrusted genomic data. When a user opens a maliciously crafted CRAM file, the buffer overflow can corrupt heap metadata structures, leading to unpredictable program behavior that may allow attackers to overwrite critical memory locations. The vulnerability affects multiple versions of HTSlib including 1.23.1, 1.22.2, and 1.21.1, with the fixes implemented in these releases addressing the specific bounds checking error in the feature decoding algorithm. Given the nature of genomic data processing and the potential for remote code execution, this vulnerability presents a significant risk to research institutions, clinical laboratories, and bioinformatics infrastructure that rely on HTSlib for their data processing pipelines.
The exploitation potential of this vulnerability aligns with ATT&CK technique T1203, which involves exploiting weaknesses in software to gain unauthorized access or execute malicious code. Attackers could craft CRAM files designed to trigger the buffer overflow during normal processing operations, potentially enabling them to execute arbitrary commands on systems running vulnerable versions of HTSlib. The lack of a workaround means that organizations must immediately upgrade to patched versions to mitigate this risk. This vulnerability underscores the critical importance of proper input validation in security-sensitive applications and demonstrates how seemingly minor implementation errors in data processing libraries can have severe consequences in bioinformatics environments where large-scale data processing occurs. Organizations should prioritize updating their HTSlib installations and implement monitoring for suspicious CRAM file processing activities to prevent exploitation of this vulnerability in production systems.