Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure / Crash
Action: Apply Patch
AI Analysis

Impact

HTSlib contains an out‑of‑bounds read in the cram_decode_slice() function due to lack of validation of the mate reference id field. This flaw allows an attacker who supplies a malicious CRAM file to cause the library to read beyond intended array bounds and potentially expose internal program state or crash the process. The weakness matches the Common Weakness Enumerations CWE-125 and CWE-129, indicating an out‑of‑bounds read and signed/unsigned mismatch. The impact is limited to information disclosure and denial of service within the context of the application using the library; it does not provide remote code execution or privilege escalation on its own.

Affected Systems

Affected products are HTSlib used within the samtools:htslib ecosystem. The vulnerability is present in releases 1.21.1, 1.22.2, and 1.23.0. Fixes are included in version 1.23.1 and later releases. No other vendors or products are listed in the known CNA data.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is below 1%, suggesting that the likelihood of active exploitation is low, and the issue is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to supply a crafted CRAM file to a vulnerable application; no remote network attack vector is specified in the input. Thus, the overall risk is moderate but depends on whether the affected HTSlib version is used in publicly accessible pipelines.

Generated by OpenCVE AI on March 19, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HTSlib to version 1.23.1 or later; the latest release contains the patch.

Generated by OpenCVE AI on March 19, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM reader has out-of-bounds read due to improper validation of input
Weaknesses CWE-125
CWE-129
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:58:55.083Z

Reserved: 2026-03-10T15:40:10.485Z

Link: CVE-2026-31967

cve-icon Vulnrichment

Updated: 2026-03-18T19:58:51.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T20:16:21.280

Modified: 2026-03-19T14:36:34.813

Link: CVE-2026-31967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:23Z

Weaknesses