Description
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Disclosure / Crash
Action: Apply Patch
AI Analysis

Impact

SAMtools’ mpileup command contains a use-after-free vulnerability (CWE-416). When reference data is discarded prematurely, the program may read from freed memory, leading to the disclosure of internal state or a program crash.

Affected Systems

The vulnerability affects the samtools:samtools product (CPE: cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*). Versions released before 1.21.1 (and prior to 1.22) are vulnerable; the issue has been fixed in releases 1.21.1 and 1.22 and later.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to supply crafted input to the mpileup command, implying that the attack vector most likely requires local or privileged user access to execute mpileup with malicious data.

Generated by OpenCVE AI on March 19, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SAMtools 1.21.1 or later
  • Verify that the installed SAMtools version is 1.21.1 or later
  • Monitor for relevant security advisories and patches
  • If upgrade is not immediately possible, restrict access to the mpileup command to trusted users

Generated by OpenCVE AI on March 19, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools samtools
Vendors & Products Samtools
Samtools samtools

Thu, 19 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.
Title samtools mpileup has use-after-free leading to an invalid read
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Samtools Samtools
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T14:22:59.713Z

Reserved: 2026-03-10T15:40:10.486Z

Link: CVE-2026-31972

cve-icon Vulnrichment

Updated: 2026-03-18T23:08:19.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T21:16:26.070

Modified: 2026-03-19T18:54:51.970

Link: CVE-2026-31972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:16Z

Weaknesses