CVE-2026-31964
Published: 18 March 2026
Summary
CVE-2026-31964 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Htslib Htslib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires organizations to identify, report, and correct flaws like the NULL pointer dereference in HTSlib's CRAM decoding for CONST, XPACK, and XRLE encodings by applying patches in fixed versions.
Mandates secure error handling during CRAM record decoding to gracefully manage omitted sequence or quality data without attempting writes to NULL pointers, preventing program crashes.
Implements validation of CRAM file inputs to detect and reject malformed records using vulnerable encodings before processing, mitigating exploitation via crafted files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in HTSlib when decoding crafted CRAM files directly triggers application crashes, enabling Endpoint Denial of Service via application exploitation (T1499.004).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values,…
more
the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `CONST`, `XPACK` and `XRLE` encodings did not properly implement the interface needed to do this. Trying to decode records with omitted sequence or quality data using these encodings would result in an attempt to write to a NULL pointer. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31964 is a NULL pointer dereference vulnerability (CWE-476) in HTSlib, a C library for reading and writing bioinformatics file formats such as CRAM, which stores compressed DNA sequence alignment data. The issue affects the CONST, XPACK, and XRLE encodings when decoding CRAM records that omit sequence or quality data; these encodings fail to properly implement the required interface for handling and discarding such data, resulting in an attempt to write to a NULL pointer.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. An unauthenticated attacker can supply a specially crafted CRAM file to any application using a vulnerable HTSlib version, triggering the dereference and typically causing a program crash, leading to denial of service.
The HTSlib GitHub security advisory (GHSA-5w97-85gf-86rm) and fixing commit (e64e68da567d2309509d059ace016d5d7fc7514f) confirm patches in versions 1.23.1, 1.22.2, and 1.21.1; there is no workaround available. Security practitioners should ensure dependent bioinformatics tools update to these fixed releases when processing untrusted CRAM files.
Details
- CWE(s)