CVE-2026-31968
Published: 18 March 2026
Summary
CVE-2026-31968 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Htslib Htslib. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely flaw remediation through updating to patched HTSlib versions 1.23.1, 1.22.2, or 1.21.1.
Implements memory protections such as ASLR, stack canaries, and non-executable memory that prevent exploitation of the heap and stack buffer overflows to achieve arbitrary code execution.
Requires validation of CRAM file inputs including VARINT and CONST encoding contexts to block malformed files that trigger the incomplete validation leading to overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in CRAM file parser directly enables client-side arbitrary code execution when a user opens a crafted malicious file (T1204.002), matching Exploitation for Client Execution (T1203).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the…
more
context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
HTSlib, a C library for high-throughput sequencing data storage formats including CRAM, contains a vulnerability in its handling of the VARINT and CONST encodings used in CRAM files for DNA sequence alignment data. Incomplete validation of the encoding context can result in up to eight bytes being written beyond the end of a heap allocation or overwriting a one-byte stack variable, potentially corrupting adjacent variables. This issue manifests as either a heap buffer overflow or stack overflow, affecting applications that use HTSlib to read CRAM files.
A remote attacker can exploit this vulnerability by crafting a malicious CRAM file and tricking a user into opening it with an affected HTSlib-based application, as it requires user interaction but no privileges. Successful exploitation could cause the program to crash, overwrite heap or stack data structures unexpectedly, alter program control flow, or enable arbitrary code execution, with high impact on integrity and availability per its CVSS score of 8.1.
The HTSlib security advisory and associated patch commit detail fixes in versions 1.23.1, 1.22.2, and 1.21.1, which address the validation flaws in VARINT and CONST encoding contexts. No workaround is available, so users should update to a patched version promptly. Relevant resources include the GitHub security advisory at https://github.com/samtools/htslib/security/advisories/GHSA-cgcm-c9r2-p57j and the fixing commit at https://github.com/samtools/htslib/commit/0ec436796eca7b4ce7fcc9b77270c102da29bb2e.
Details
- CWE(s)