Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a heap buffer overflow in the cram_decode_seq function of HTSlib, triggered when improperly handling CRAM records that omit sequence data. The overflow allows an attacker‑controlled byte to be written beyond the bounds of a heap allocation, potentially corrupting memory and enabling arbitrary code execution. The weakness corresponds to several CWE identifiers, including CWE‑122, CWE‑125, CWE‑1284, CWE‑129, and CWE‑787.

Affected Systems

Affected systems are the HTSlib library used by samtools. Vulnerable releases include all versions of htslib older than the patch commits, specifically those preceding version 1.23.1, except for releases that were subsequently fixed such as 1.22.2 and 1.21.1. Administrators should verify the installed htslib version against the advisory to determine whether a patch is required.

Risk and Exploitability

The severity of the flaw is high with a CVSS score of 8.8, but its EPSS score is less than 1% and it is not listed in the CISA KEV catalog, indicating a lower likelihood of exploitation in the wild. Exploitation requires an attacker to supply a malicious CRAM file that the application processes, meaning the attack vector is local or remote file ingestion. If successful, the defect can lead to program termination or memory corruption that could be leveraged for arbitrary code execution, thus representing a significant security risk when untrusted data is processed.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade htslib to version 1.23.1 or later, or to 1.22.2/1.21.1 where applicable.
  • Rebuild dependent tools such as samtools against the patched library.
  • Avoid opening untrusted CRAM files until the library is updated.
  • Monitor vendor advisories for additional patches or mitigations.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM reader has heap buffer overflow due to improper validation of input
Weaknesses CWE-122
CWE-125
CWE-129
CWE-787
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:37:22.954Z

Reserved: 2026-03-10T15:40:10.483Z

Link: CVE-2026-31962

cve-icon Vulnrichment

Updated: 2026-03-18T18:37:19.990Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:28.190

Modified: 2026-03-19T17:30:45.370

Link: CVE-2026-31962

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T18:08:26Z

Links: CVE-2026-31962 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:29Z

Weaknesses