Description
HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

HTSlib’s BGZF index file reader contains a heap buffer overflow triggered by an integer overflow in the bgzf_index_load_hfile() function. A crafted .gzi file can cause an under‑or zero‑sized buffer allocation, leading to 16 arbitrary bytes being written and, depending on the overflow, the remainder of the file being loaded. The overflow ultimately causes a crash or corruption of heap structures, potentially allowing arbitrary code execution. This weakness is associated with several known CVEs including CWE‑122, CWE‑1284, CWE‑131, CWE‑190, and CWE‑787.

Affected Systems

The vulnerability affects the htslib component of samtools. Versions prior to 1.21.1, 1.22.2 and 1.23.1 are vulnerable. The CPE entries include htslib:htslib 1.23 and any earlier releases. Users running older releases of htslib should verify their version.

Risk and Exploitability

The CVSS score for this issue is 7.1, indicating a high severity. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower probability of widespread exploitation. Attackers would need to supply a malicious .gzi index file to an application that uses HTSlib; thus the vector is local file input. If an attacker can supply such a file, the resulting heap buffer overflow could allow code execution or denial of service.

Generated by OpenCVE AI on March 19, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade htslib to version 1.23.1 or later (or to 1.22.2 / 1.21.1 if those are the latest maintained releases).
  • If an upgrade is not immediately possible, remove any .gzi index files from untrusted sources and generate new indexes with the bgzip -r option.

Generated by OpenCVE AI on March 19, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Thu, 19 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.
Title HTSlib BGZF index file reader has a heap buffer overflow
Weaknesses CWE-122
CWE-1284
CWE-131
CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T23:08:18.668Z

Reserved: 2026-03-10T15:40:10.485Z

Link: CVE-2026-31970

cve-icon Vulnrichment

Updated: 2026-03-18T23:08:18.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T20:16:21.980

Modified: 2026-03-19T13:59:29.387

Link: CVE-2026-31970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:19Z

Weaknesses