CVE-2026-31967 in htslib
Summary
by MITRE • 03/18/2026
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-31967 affects HTSlib, a widely-used bioinformatics library that handles various file formats including CRAM, which is a compressed format for storing DNA sequence alignment data. This security flaw resides within the `cram_decode_slice()` function that processes CRAM records during file reading operations. The issue stems from inadequate validation of the mate reference id field, which serves as a pointer to reference sequence information within the CRAM format structure.
The technical flaw manifests when the mate reference id field lacks proper validation during CRAM record processing. This unvalidated value gets propagated through subsequent operations, particularly when converting data to SAM format. The vulnerability creates conditions for out-of-bounds array reads when the system attempts to look up corresponding reference names using the malformed identifier. When the array access returns a value that coincidentally constitutes a valid memory pointer, the system treats this value as a string and attempts to write it as part of the SAM record output, leading to unpredictable behavior.
This vulnerability presents significant operational risks to bioinformatics applications that rely on HTSlib for processing genomic data. The out-of-bounds memory access can result in information leakage about the program's internal state, potentially exposing sensitive data such as memory addresses or program structure details. Additionally, the invalid memory access patterns can cause program crashes through segmentation faults or access violations, disrupting critical bioinformatics workflows and potentially leading to data loss. The vulnerability affects multiple versions of HTSlib including 1.23.1, 1.22.2, and 1.21.1, with fixes provided in these updated releases.
From a cybersecurity perspective, this vulnerability aligns with CWE-125, which describes out-of-bounds read conditions, and CWE-787, which covers out-of-bounds write operations. The attack surface is particularly concerning in bioinformatics environments where large-scale genomic data processing occurs, as these systems often process sensitive patient or research data. The lack of workaround solutions means that affected systems must be upgraded to patched versions to mitigate the risk. Organizations implementing HTSlib-based applications should prioritize immediate deployment of the fixed versions and conduct thorough testing to ensure no regression in functionality while addressing this memory safety vulnerability.
The ATT&CK framework categorizes this vulnerability under T1059.001 for command and script interpreter execution, as the memory corruption could potentially enable code execution if exploited by an attacker with control over the input data. The vulnerability's impact extends beyond simple crashes to include potential information disclosure, making it particularly dangerous in research environments where data confidentiality is paramount. Given the specialized nature of bioinformatics applications and their typically high-value data, this vulnerability requires immediate attention from security teams responsible for maintaining genomic data processing infrastructure.