Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, validation of the reference id field occurred too late, allowing two out of bounds reads to occur before the invalid data was detected. The bug does allow two values to be leaked to the caller, however as the function reports an error it may be difficult to exploit them. It is also possible that the program will crash due to trying to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs in the cram_decode_slice() function of htslib, where validation of the reference id field happens too late in the decoding process. This allows two out-of-bounds reads that could leak values to the caller or cause a crash when the function attempts to access invalid memory. The primary impact is memory corruption and potential information leakage, categorized under CWE-125 (Out-of-Bounds Read) and CWE-129 (Race Condition, Logical).

Affected Systems

Affected products include the htslib library used by SamTools. Versions 1.23.1, 1.22.2, and 1.21.1 are vulnerable. The corresponding CPE strings are cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:* and cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, while the EPSS score of less than 1% denotes a low probability of exploitation. It is not listed in the CISA KEV catalog, implying no known widespread exploitation. The likely attack vector is local or remote if a malicious CRAM file can be supplied to the software; however, a successful exploit requires the ability to provide malformed CRAM data to the application.

Generated by OpenCVE AI on March 19, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update htslib to version 1.23.1 or later to apply the official fix.

Generated by OpenCVE AI on March 19, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, validation of the reference id field occurred too late, allowing two out of bounds reads to occur before the invalid data was detected. The bug does allow two values to be leaked to the caller, however as the function reports an error it may be difficult to exploit them. It is also possible that the program will crash due to trying to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM reader has out-of-bounds reads due to improper validation of input
Weaknesses CWE-125
CWE-129
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T14:52:36.357Z

Reserved: 2026-03-10T15:40:10.484Z

Link: CVE-2026-31965

cve-icon Vulnrichment

Updated: 2026-03-19T14:52:32.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T19:16:04.823

Modified: 2026-03-19T14:47:35.917

Link: CVE-2026-31965

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T18:50:37Z

Links: CVE-2026-31965 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:25Z

Weaknesses