CVE-2026-31972 in SAMtools
Summary
by MITRE • 03/18/2026
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-31972 affects SAMtools, a widely used bioinformatics tool for processing genomic data through various file format operations including reading, manipulating, and writing alignment data. The mpileup command within SAMtools serves as a critical component for generating consensus sequences by aligning DNA reads against reference genomes and outputting positional information including reference bases and aligned read bases. This functionality is essential for variant calling and genomic analysis workflows that form the backbone of modern genomics research and clinical diagnostics.
The technical flaw resides in the memory management implementation of the mpileup command where reference data is discarded prematurely during output generation. Specifically, when processing aligned sequences ordered by genomic position, the software maintains reference base information that becomes obsolete once printed. However, under certain conditions the program logic incorrectly determines that reference data can be freed before all dependent operations are completed, creating a classic use-after-free vulnerability pattern. This memory corruption issue manifests when the program attempts to access previously freed memory locations, leading to unpredictable behavior and potential security implications.
The operational impact of this vulnerability extends beyond simple program crashes to include potential information disclosure through memory leaks that could expose program state or sensitive data. Attackers could potentially exploit this weakness to gain insights into the program's internal workings or memory layout, which might facilitate more sophisticated attacks. The vulnerability affects the stability and reliability of genomic analysis pipelines, potentially causing critical research or diagnostic workflows to fail unexpectedly. Given that SAMtools is integral to numerous bioinformatics applications across research institutions and clinical laboratories, this flaw represents a significant risk to data integrity and system availability.
This vulnerability maps to CWE-416 Use After Free, which is categorized under the broader category of memory safety issues in software development. The flaw demonstrates poor memory management practices that violate fundamental security principles for preventing memory corruption vulnerabilities. From an attack perspective, this issue aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: Python, as the memory corruption could potentially be exploited through crafted input data that triggers the flawed memory management path. The vulnerability exists in SAMtools versions prior to 1.21.1 and 1.22, with no available workaround indicating that organizations must upgrade to patched versions to eliminate the risk. The lack of a workaround underscores the severity of this memory corruption vulnerability, as users cannot safely continue operations with vulnerable versions without risking system compromise or data integrity issues in their genomic analysis workflows.