Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An out-by-one error in HTSlib's cram_byte_array_stop_decode_char() function allows the CRAM decoder to write a single byte past the end of a dynamically allocated buffer when processing data encoded with the BYTE_ARRAY_STOP method. This heap buffer overflow can cause the application to crash or corrupt memory and may, in certain circumstances, enable an attacker to execute arbitrary code. The vulnerability is classified as CWE-122 and CWE-787.

Affected Systems

The affected product is HTSLib, used by the Samtools toolkit. Versions 1.23.1, 1.22.2 and 1.21.1 contain the fix, meaning any installation of earlier releases—including 1.23.0 and prior—is vulnerable. The issue is specific to the CRAM decoding component of the library.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1%, suggesting low exploitation probability in the wild, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need to supply a malicious CRAM file that uses the BYTE_ARRAY_STOP encoding to trigger the overflow, which typically requires local access or the ability to influence the data the program reads.

Generated by OpenCVE AI on March 19, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of HTSLib (1.23.1 or newer) which includes the buffer overflow fix.
  • Verify that your installation is not using a vulnerable version by checking the library version string.
  • Until the library can be updated, avoid opening untrusted CRAM files or restrict file access to trusted users.

Generated by OpenCVE AI on March 19, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM decoder has a heap buffer overflow
Weaknesses CWE-122
CWE-787
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T20:12:53.495Z

Reserved: 2026-03-10T15:40:10.485Z

Link: CVE-2026-31969

cve-icon Vulnrichment

Updated: 2026-03-18T20:12:46.162Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T20:16:21.743

Modified: 2026-03-19T13:59:56.393

Link: CVE-2026-31969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:20Z

Weaknesses