CVE-2026-31968 in htslib
Summary
by MITRE • 03/18/2026
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
CVE-2026-31968 represents a critical buffer overflow vulnerability within the HTSlib library that processes bioinformatics CRAM format files. This vulnerability stems from insufficient validation of encoding contexts specifically affecting VARINT and CONST encodings used in CRAM file compression. The flaw manifests when processing malformed CRAM files that exploit improper bounds checking during data deserialization, potentially leading to memory corruption in either heap or stack memory regions.
The technical implementation of this vulnerability involves heap buffer overflows and stack overflows through excessive memory writes that exceed allocated buffer boundaries by up to eight bytes. When HTSlib processes CRAM files containing maliciously crafted data, the VARINT and CONST encoding mechanisms fail to properly validate input parameters, causing the program to write beyond allocated memory regions. This memory corruption can result in unpredictable program behavior including crashes, data structure corruption, or potentially arbitrary code execution depending on memory layout and the specific data stream being processed.
From a cybersecurity perspective, this vulnerability directly maps to CWE-121 Stack-based Buffer Overflow and CWE-787 Out-of-bounds Write, both classified as high-risk memory safety issues. The ATT&CK framework categorizes this as a code injection technique under T1059.007, where an attacker could leverage the buffer overflow to manipulate program execution flow. The vulnerability's exploitation potential is particularly concerning in bioinformatics environments where researchers frequently process large datasets from multiple sources, creating opportunities for malicious file injection attacks.
The operational impact extends beyond immediate program crashes to include potential data integrity compromise and system availability issues. In research environments where HTSlib is extensively used for genomic data analysis, this vulnerability could allow attackers to corrupt analysis results or gain unauthorized access to computational resources. The lack of workaround means that affected systems must be upgraded to patched versions 1.23.1, 1.22.2, or 1.21.1 immediately. Organizations should implement strict file validation procedures and consider sandboxing CRAM file processing to limit potential exploitation impact while awaiting patches. The vulnerability demonstrates the critical importance of memory safety validation in scientific computing libraries where input sanitization is often assumed rather than enforced.