CVE-2026-31963
Published: 18 March 2026
Summary
CVE-2026-31963 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Htslib Htslib. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by updating HTSlib to patched versions (1.23.1, 1.22.2, 1.21.1) that fix the heap buffer overflow in CRAM feature decoding.
Implements memory protections like ASLR, DEP, and heap hardening that directly mitigate exploitation of the heap buffer overflow for arbitrary code execution.
Enforces validation of input CRAM files to reject malformed features that could trigger the out-by-one error during reference-based decompression.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in CRAM file parsing enables RCE when a user opens a crafted malicious file (T1204.002), which is the classic client-side exploitation vector (T1203).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full…
more
sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31963 is a heap buffer overflow vulnerability in HTSlib, a C library for reading and writing bioinformatics file formats such as CRAM, which stores compressed DNA sequence alignment data using reference-based compression. The issue stems from an out-by-one error in a test for CRAM features that extend beyond the record sequence extent, resulting in an invalid write of one attacker-controlled byte past the end of a heap buffer during feature decoding. This affects HTSlib versions prior to the patches in 1.23.1, 1.22.2, and 1.21.1, and is classified under CWE-122 (Heap-based Buffer Overflow), CWE-129 (Improper Validation of Array Index), and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.1.
An attacker can exploit this vulnerability by crafting a malicious CRAM file and tricking a user into opening it with software linked to a vulnerable HTSlib version, such as bioinformatics tools like samtools. The attack is network-vector (AV:N) with low complexity (AC:L), requires no privileges (PR:N) but user interaction (UI:R), and has no scope change (S:U). Successful exploitation causes a heap buffer overflow, potentially leading to program crashes, unexpected overwriting of heap data and structures, or arbitrary code execution.
The HTSlib GitHub security advisory (GHSA-qgqh-h2q9-7w3c) and commit 8bcc9907be0f945ddc31796d64f078fa05456acd detail the fix, backported to maintenance branches for versions 1.23.1, 1.22.2, and 1.21.1. There is no workaround available, so users should update to a patched version immediately.
Details
- CWE(s)