CVE-2026-31969
Published: 18 March 2026
Summary
CVE-2026-31969 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Htslib Htslib. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this heap buffer overflow by mandating upgrades to patched HTSlib versions 1.23.1, 1.22.2, or 1.21.1.
SI-16 implements memory protections such as non-executable heap regions and address space randomization to prevent arbitrary code execution from the heap buffer overflow.
SI-10 enforces validation of untrusted CRAM file inputs to detect and reject malformed data encoded with BYTE_ARRAY_STOP before decoding in the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in CRAM file parser enables RCE when victim opens attacker-crafted file (T1204.002), directly constituting client application exploitation (T1203).
NVD Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one…
more
error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31969 is a heap buffer overflow vulnerability in HTSlib, a C library for reading and writing bioinformatics file formats such as CRAM, which stores compressed DNA sequence alignment data. The issue stems from an out-by-one error in the `cram_byte_array_stop_decode_char()` function during decoding of data encoded with the `BYTE_ARRAY_STOP` method. This flaw allows a single attacker-controlled byte to be written beyond the end of a heap allocation when checking for a full output buffer, affecting HTSlib versions prior to the patched releases.
A remote attacker can exploit this vulnerability by crafting a malicious CRAM file and tricking a user into opening it with an application linked to a vulnerable version of HTSlib. No privileges are required (PR:N), and the attack is feasible over a network (AV:N) with low complexity (AC:L), though it relies on user interaction (UI:R). Successful exploitation triggers a heap buffer overflow, potentially causing the program to crash, overwriting adjacent heap data or structures, and enabling arbitrary code execution in some cases. The CVSS v3.1 base score of 8.1 reflects high impacts on integrity (I:H) and availability (A:H) with no confidentiality impact (C:N), linked to CWEs-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
The HTSlib security advisory (GHSA-q4cj-f4h5-fqgc) and associated patch commit (88cdf69e4b83bb550ab4f6f7134892c2ad1978f4) confirm fixes in versions 1.23.1, 1.22.2, and 1.21.1. There is no workaround available, so security practitioners should ensure dependent applications upgrade to these or later versions and validate inputs when processing untrusted CRAM files.
Details
- CWE(s)