CVE-2026-31965
Published: 18 March 2026
Summary
CVE-2026-31965 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Htslib Htslib. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read flaw in HTSlib's cram_decode_slice function by identifying, reporting, and applying patches to vulnerable versions such as prior to 1.23.1.
Requires validation of CRAM reference ID fields before array indexing to prevent improper validation leading to out-of-bounds reads.
Implements memory protections like ASLR and non-executable memory to mitigate exploitation of out-of-bounds reads, reducing leak potential or ensuring crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated exploitation of a public-facing application by supplying a malicious CRAM file to HTSlib's cram_decode_slice parser, directly enabling T1190 (Exploit Public-Facing Application). The resulting limited information disclosure or denial-of-service via out-of-bounds read matches the technique's use of crafted inputs against network-accessible services; no other Enterprise techniques are directly facilitated given the lack of RCE or credential access.
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, validation of the reference id field occurred too late,…
more
allowing two out of bounds reads to occur before the invalid data was detected. The bug does allow two values to be leaked to the caller, however as the function reports an error it may be difficult to exploit them. It is also possible that the program will crash due to trying to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31965 affects HTSlib, a C library for reading and writing bioinformatics file formats such as the CRAM compressed format used for DNA sequence alignment data. The vulnerability occurs in the `cram_decode_slice()` function during CRAM record parsing, where validation of the reference ID field is performed too late. This allows two out-of-bounds reads before the invalid data is detected, corresponding to CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index).
A remote, unauthenticated attacker with no privileges or user interaction required (CVSS:3.1 score of 8.2; AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) can exploit this by providing a maliciously crafted CRAM file to an application using vulnerable HTSlib versions. Successful exploitation may leak two values to the caller or cause a program crash from invalid memory access, though reliably using the leaked values is difficult due to the function reporting an error.
HTSlib versions 1.23.1, 1.22.2, and 1.21.1 include fixes for this issue, as detailed in the project's security advisory (https://github.com/samtools/htslib/security/advisories/GHSA-mqm2-v645-3qhr) and the patching commit (https://github.com/samtools/htslib/commit/9cefb46453ad471e933b8212d4f45920524d3357). No workaround exists.
Details
- CWE(s)