Cyber Posture

CVE-2026-31966

Critical

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31966 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Htslib Htslib. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely identification, reporting, and correction of software flaws like the out-of-bounds read in HTSlib's cram_decode_seq function by updating to patched versions such as 1.23.1.

SI-10 Information Input Validation partial match
prevent

Mandates validation of inputs such as CRAM feature data series to prevent out-of-bounds memory copies during decoding.

SI-16 Memory Protection partial match
prevent

Provides memory protection mechanisms like address space randomization to mitigate exploitation of out-of-bounds reads for data leakage or crashes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

OOB read in CRAM file parsing enables remote exploitation of public-facing apps processing untrusted files (T1190) and direct leakage of sensitive process memory data to the caller (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full…

more

sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding CRAM records, the reference data is stored in a char array, and parts matching the alignment record sequence are copied over as necessary. Due to insufficient validation of the feature data series, it was possible to make the `cram_decode_seq()` function copy data from either before the start, or after the end of the stored reference either into the buffer used to store the output sequence for the cram record, or into the buffer used to build the SAM `MD` tag. This allowed arbitrary data to be leaked to the calling function. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

Deeper analysisAI

CVE-2026-31966 is a high-severity vulnerability in HTSlib, a C library for reading and writing bioinformatics file formats such as CRAM, which is used for compressed DNA sequence alignment data. The issue stems from insufficient validation of feature data series in CRAM records during decoding. Specifically, the `cram_decode_seq()` function can copy data from before the start or after the end of the stored reference sequence buffer into either the output sequence buffer for the CRAM record or the buffer for the SAM `MD` tag. This results in out-of-bounds reads (CWE-125, CWE-129), enabling arbitrary data leakage to the calling function or potential program crashes from invalid memory access. The vulnerability affects HTSlib versions prior to the patches applied in releases 1.23.1, 1.22.2, and 1.21.1.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). By providing a specially crafted CRAM file to an application using vulnerable HTSlib, the attacker can trigger the out-of-bounds read, leaking sensitive information about program state or causing denial of service through crashes.

Mitigation requires updating to HTSlib versions 1.23.1, 1.22.2, or 1.21.1, which include fixes via specific commits such as 22ec5230ef95769ab009420da69568c7e530af28, 2a45eb129d703ad27f9fabc8169f0e94d3c69fa3, and 4a5ef25eb1fb3d64438103316fffe423b2c3f5f4. The GitHub Security Advisory GHSA-5cj8-mj52-8vp3 provides further details, and there is no available workaround.

Details

CWE(s)
CWE-125CWE-129

Affected Products

htslib
htslib
1.23 · ≤ 1.21.1 · 1.22 — 1.22.2

CVEs Like This One

CVE-2026-31965Same product: Htslib Htslib
CVE-2026-31967Same product: Htslib Htslib
CVE-2026-31962Same product: Htslib Htslib
CVE-2026-31963Same product: Htslib Htslib
CVE-2026-31964Same product: Htslib Htslib
CVE-2026-31969Same product: Htslib Htslib
CVE-2026-31968Same product: Htslib Htslib
CVE-2026-31971Same product: Htslib Htslib
CVE-2026-31970Same product: Htslib Htslib
CVE-2025-30347Shared CWE-125

References