Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

HTSlib is a bioinformatics library that reads and writes CRAM files. The vulnerability resides in cram_byte_array_len_decode() when decoding data serialized with the BYTE_ARRAY_LEN method. The function fails to validate that the amount of data being unpacked matches the size of the output buffer, allowing an attacker to supply crafted CRAM data that causes either a heap or a stack overflow. This overflow can corrupt program data structures or hijack control flow, potentially leading to arbitrary code execution. The weakness is a classic buffer overflow (CWE‑121, CWE‑122, CWE‑787, CWE‑1284) and may be exploited by any user who opens a malicious file.

Affected Systems

The issue affects the samtools/htslib library on versions prior to 1.23.1, 1.22.2, and 1.21.1. Versions listed in the KNOWN_CPES or the vendor patch notes indicate that these releases include the fix. Any deployment that uses these libraries to process CRAM files is therefore affected, especially in bioinformatics pipelines that open untrusted data.

Risk and Exploitability

The CVSS base score is 7.1, indicating a moderate to high severity. The EPSS score is less than 1%, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw can lead to remote code execution on the host that runs the library, it is considered a critical risk for systems that ingest untrusted CRAM files. An attacker would need to supply a malicious CRAM file to the vulnerable parser; no additional privileges are required for the attacker to trigger the overflow.

Generated by OpenCVE AI on March 19, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HTSlib library to version 1.23.1 or newer, which includes the buffer‑overflow fix.
  • Verify that your bioinformatics pipelines are linked against the updated library and re‑compile if necessary.
  • Re‑scan or re‑validate any CRAM files that were previously processed with older versions to ensure no corruption occurred.

Generated by OpenCVE AI on March 19, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Htslib
Htslib htslib
CPEs cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
Vendors & Products Htslib
Htslib htslib
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools htslib
Vendors & Products Samtools
Samtools htslib

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title HTSlib CRAM decoder vulnerable to buffer overflow
Weaknesses CWE-121
CWE-122
CWE-1284
CWE-787
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Htslib Htslib
Samtools Htslib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T20:15:22.414Z

Reserved: 2026-03-10T15:40:10.486Z

Link: CVE-2026-31971

cve-icon Vulnrichment

Updated: 2026-03-18T20:15:14.940Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T20:16:22.243

Modified: 2026-03-19T13:58:31.573

Link: CVE-2026-31971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:18Z

Weaknesses