Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow leading to possible code execution
Action: Patch ASAP
AI Analysis

Impact

HTSlib, a C library for handling bioinformatics file formats, includes a CRAM reader that reconstructs aligned reads from compressed data. During decoding, the implementation checks for CRAM features that exceed the extent of the record sequence. An out‑by‑one error in this boundary test allows a crafted feature to write a single attacker‑controlled byte just past the end of a heap‑allocated buffer. This heap buffer overflow can corrupt adjacent memory, potentially resulting in program crash, data corruption, or, in the most severe cases, arbitrary code execution. The vulnerability is represented by several standard weaknesses: buffer overread (CWE‑122), off‑by‑one error (CWE‑129), signed/unsigned mismatch (CWE‑193), and heap buffer overflow (CWE‑787).

Affected Systems

The flaw is present in the htslib component of the samtools project, which is used by a wide range of bioinformatics tools to read and write compressed alignment files. Versions of htslib released prior to the security patch – i.e., any release older than 1.21.1, 1.22.2, or 1.23.1 – are affected. All builds newer than those – such as 1.23.1 and subsequent releases – contain the fix. Systems that process CRAM files with an unpatched htslib instance are therefore at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, but the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog, reinforcing that it has not yet been widely exploited. Exploitation requires an attacker to supply a malicious CRAM file that an application will decode. The attack vector is therefore file‑based, usually local if the file is opened manually, or remote if an application receives CRAM data from an untrusted source such as a network service. Because the flaw corrupts heap rather than allowing unrestricted memory read/write, the ultimate impact depends on the target application; the most damaging outcome is presumed to be code execution that could grant an attacker persistence or privilege escalation. Consequently, applying the vendor‑provided patch as soon as possible is the recommended mitigative action.

Generated by OpenCVE AI on March 19, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade htslib to version 1.23.1 or later.

Generated by OpenCVE AI on March 19, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM reader has heap buffer overflow due to improper validation of input
Weaknesses CWE-122
CWE-129
CWE-787
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:52:43.260Z

Reserved: 2026-03-10T15:40:10.484Z

Link: CVE-2026-31963

cve-icon Vulnrichment

Updated: 2026-03-18T18:52:37.229Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T19:16:04.440

Modified: 2026-03-19T14:50:54.513

Link: CVE-2026-31963

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T18:22:58Z

Links: CVE-2026-31963 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:27Z

Weaknesses