Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `CONST`, `XPACK` and `XRLE` encodings did not properly implement the interface needed to do this. Trying to decode records with omitted sequence or quality data using these encodings would result in an attempt to write to a NULL pointer. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Null pointer dereference causing program crash (DoS)
Action: Patch
AI Analysis

Impact

HTSlib is a widely used library for processing bioinformatics file formats, including the compressed CRAM format. The vulnerability lies in the handling of CONST, XPACK, and XRLE encodings when a CRAM record omits sequence or quality data. Because the decoder incorrectly writes to a null pointer under these conditions, the resulting crash is a classic NULL Pointer Dereference (CWE‑476). The impact is a denial‑of‑service condition; no direct data exfiltration or code execution is provided by the flaw itself.

Affected Systems

The affected product is samtools:htslib. All releases of HTSlib that predates the specific patched versions are vulnerable. The CVE notes that versions 1.23.1, 1.22.2, and 1.21.1 contain the fix; therefore any older version (including 1.23.0, 1.22.1, 1.21.0, etc.) is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. The most plausible attack vector is the delivery of a malicious CRAM file that triggers the faulty decoder during normal processing, which could occur via a local user or a remote user submitting data to an application that incorporates HTSlib. The exploit will cause the consuming process to crash, leading to service interruption but not compromising other system components.

Generated by OpenCVE AI on March 19, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HTSlib to version 1.23.1, 1.22.2, or 1.21.1, or later, as these releases contain the bug fix.
  • Verify that any applications using HTSlib are linked against the patched library; if an upgrade cannot be performed immediately, avoid processing CRAM files that omit sequence or quality data until the fix is applied.

Generated by OpenCVE AI on March 19, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `CONST`, `XPACK` and `XRLE` encodings did not properly implement the interface needed to do this. Trying to decode records with omitted sequence or quality data using these encodings would result in an attempt to write to a NULL pointer. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM decoder has a NULL Pointer Dereference
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:46:29.177Z

Reserved: 2026-03-10T15:40:10.484Z

Link: CVE-2026-31964

cve-icon Vulnrichment

Updated: 2026-03-18T18:46:22.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T19:16:04.633

Modified: 2026-03-19T14:50:24.563

Link: CVE-2026-31964

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T18:27:26Z

Links: CVE-2026-31964 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:26Z

Weaknesses