CVE-2026-31962
Published: 18 March 2026
Summary
CVE-2026-31962 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Htslib Htslib. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap buffer overflow by requiring timely patching of HTSlib to fixed versions 1.23.1, 1.22.2, or 1.21.1.
Requires validation of CRAM file inputs to prevent malformed records from triggering the out-of-bounds read and write in cram_decode_seq().
Provides memory protections such as ASLR and DEP to mitigate exploitation of the heap buffer overflow for code execution or data corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in file-parsing library (CRAM) directly enables client-side RCE when user opens malicious file (UI:R, AV:N).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this…
more
data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31962 is a heap buffer overflow vulnerability in HTSlib, a C library for reading and writing bioinformatics file formats such as CRAM, which stores compressed DNA sequence alignment data. The issue arises in the `cram_decode_seq()` function, which fails to properly handle CRAM records that omit DNA sequence and quality values to save space. In affected cases, this leads to reading a single byte beyond the end of a heap allocation followed by writing an attacker-controlled byte to the same location, enabling heap structure corruption.
The vulnerability can be exploited by any remote attacker with no privileges required (PR:N) who tricks a user into opening a specially crafted CRAM file (UI:R), as indicated by the CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Successful exploitation may cause the affected program to crash, overwrite arbitrary data or heap structures, and potentially achieve arbitrary code execution.
Patches are available in HTSlib versions 1.23.1, 1.22.2, and 1.21.1, as detailed in the project's GitHub security advisory (GHSA-xxmp-v7h3-gpwp) and the fixing commit (d799b54c6401879187bba4741be83ff590ac73e3). There is no workaround for this issue. The vulnerability is associated with CWEs-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), CWE-129 (Improper Validation of Array Index), and CWE-787 (Out-of-bounds Write).
Details
- CWE(s)