CVE-2026-31969 in htslib
Summary
by MITRE • 03/18/2026
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-31969 represents a critical heap buffer overflow in HTSlib's CRAM file format handling implementation. This issue specifically affects the `cram_byte_array_stop_decode_char()` function which processes data encoded with the BYTE_ARRAY_STOP method during CRAM file parsing. The flaw manifests as an out-by-one error in buffer boundary checking, where an attacker-controlled byte can be written beyond the allocated heap memory region. This type of vulnerability falls under CWE-121 Heap-based Buffer Overflow, which is classified as a severe memory safety issue in the Common Weakness Enumeration catalog. The vulnerability impacts the core functionality of HTSlib's bioinformatics data processing capabilities, particularly when handling compressed DNA sequence alignment data.
The technical exploitation of this vulnerability occurs during the parsing of maliciously crafted CRAM files that utilize the BYTE_ARRAY_STOP encoding method. When the vulnerable function processes the encoded data, it fails to properly validate the output buffer boundaries, allowing one extra byte to be written past the intended memory allocation. This buffer overflow can corrupt adjacent heap memory structures, potentially leading to program crashes, data corruption, or more severe consequences including arbitrary code execution. The attack vector is particularly concerning because it requires no special privileges beyond the ability to read files, making it exploitable through standard file processing operations. This vulnerability directly maps to ATT&CK technique T1203, which involves exploiting software vulnerabilities to gain code execution privileges.
The operational impact of this vulnerability extends beyond simple program termination, as it can compromise the integrity of the entire bioinformatics processing pipeline. In research environments where HTSlib is extensively used for genomic data analysis, an attacker could potentially inject malicious code into the processing workflow, leading to data exfiltration or system compromise. The vulnerability affects multiple versions of HTSlib including 1.23.1, 1.22.2, and 1.21.1, indicating this was a widespread issue across the library's release cycle. Organizations utilizing HTSlib for critical genomic research or clinical data processing should immediately assess their systems for potential exposure and implement the available patches. The lack of a workaround means that affected systems must be updated to patched versions to ensure security, as the vulnerability cannot be mitigated through configuration changes or operational procedures alone.