Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding CRAM records, the reference data is stored in a char array, and parts matching the alignment record sequence are copied over as necessary. Due to insufficient validation of the feature data series, it was possible to make the `cram_decode_seq()` function copy data from either before the start, or after the end of the stored reference either into the buffer used to store the output sequence for the cram record, or into the buffer used to build the SAM `MD` tag. This allowed arbitrary data to be leaked to the calling function. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

HTSlib’s CRAM decoding routine, specifically the cram_decode_seq() function, incorrectly validates the sequence of features that describe differences relative to an external reference. The routine copies portions of the reference into output buffers without properly checking boundaries, causing out‑of‑bounds reads into memory preceding or following the reference data. This flaw allows a malicious or malformed CRAM file to leak arbitrary data from process memory into the returned sequence or the SAM MD tag, or to trigger a crash via invalid memory access. The vulnerability aligns with CWE‑125 (Out‑of‑Bounds Read) and CWE‑129 (Improper Validation of Array Index).

Affected Systems

Product: HTSlib (samtools:htslib). Affected releases include 1.23.1, 1.22.2, and 1.21.1. All CPEs listed in the public data refer to these releases. Users running any of these specific versions are impacted and must update to a patched version.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. EPSS is reported as less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is inferred to be local or remote if an attacker can supply a crafted CRAM file to an application using HTSlib. Exploitation requires no special privileges beyond the normal execution context of the application.

Generated by OpenCVE AI on March 19, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade htslib to a patched version (≥1.23.1, which includes the resolution for CVE-2026-31966).

Generated by OpenCVE AI on March 19, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding CRAM records, the reference data is stored in a char array, and parts matching the alignment record sequence are copied over as necessary. Due to insufficient validation of the feature data series, it was possible to make the `cram_decode_seq()` function copy data from either before the start, or after the end of the stored reference either into the buffer used to store the output sequence for the cram record, or into the buffer used to build the SAM `MD` tag. This allowed arbitrary data to be leaked to the calling function. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM reader has out-of-bounds read due to improper validation of input
Weaknesses CWE-125
CWE-129
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:58:26.525Z

Reserved: 2026-03-10T15:40:10.484Z

Link: CVE-2026-31966

cve-icon Vulnrichment

Updated: 2026-03-18T19:58:22.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T20:16:21.060

Modified: 2026-03-19T14:44:04.400

Link: CVE-2026-31966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:24Z

Weaknesses