CVE-2026-31967
Published: 18 March 2026
Summary
CVE-2026-31967 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Htslib Htslib. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unvalidated mate reference ID flaw by requiring timely patching to HTSlib versions 1.23.1, 1.22.2, or 1.21.1 that fix the out-of-bounds array reads.
Enforces validation of CRAM file inputs, including bounds checking on mate reference ID fields, to block malformed data from triggering out-of-bounds memory access.
Provides memory protection mechanisms like address space randomization and non-executable memory to limit damage from out-of-bounds reads, info leaks, and crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted CRAM file triggers OOB read in HTSlib parser (AV:N/PR:N/UI:N), directly enabling exploitation of public-facing apps processing untrusted sequence data (T1190) and resulting application DoS via crash (T1499.004).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was…
more
not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31967 is a vulnerability in HTSlib, a C library for high-throughput sequencing data storage, specifically affecting the handling of CRAM files, a compressed format for DNA sequence alignment data. The issue resides in the `cram_decode_slice()` function during CRAM record decoding, where the mate reference ID field lacks validation. This leads to out-of-bounds array reads when the unvalidated value is later used, such as during conversion to SAM format, to look up the corresponding reference name. If the accessed array value is a valid pointer, it may be misinterpreted as a string and incorporated into the SAM output.
An attacker can exploit this remotely with low complexity, requiring no privileges or user interaction, as indicated by the CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). By supplying a specially crafted CRAM file to any application using a vulnerable HTSlib version, the attacker can trigger out-of-bounds memory reads, potentially leaking sensitive information about the program's memory state (CWE-125, CWE-129). This may also cause denial-of-service via program crashes from invalid memory access.
The HTSlib project has addressed the issue in versions 1.23.1, 1.22.2, and 1.21.1, with the fixing commit available at https://github.com/samtools/htslib/commit/9cefb46453ad471e933b8212d4f45920524d3357 and further details in the security advisory at https://github.com/samtools/htslib/security/advisories/GHSA-33x5-c6vj-8f2w. No workaround exists, so practitioners should upgrade affected bioinformatics tools relying on HTSlib, such as samtools, to patched releases.
Details
- CWE(s)