CVE-2026-31970

High

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0006 18.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31970 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Htslib Htslib. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely remediation through patching HTSlib to fixed versions 1.23.1, 1.22.2, or 1.21.1.

SI-10 Information Input Validation good match

prevent

Validates GZI index file inputs, such as record counts and sizes, to prevent integer overflows during buffer allocation in bgzf_index_load_hfile().

SI-16 Memory Protection partial match

prevent

Implements memory safeguards to protect against heap buffer overflows that could lead to data overwrite or arbitrary code execution from malformed GZI files.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in file parsing library (GZI index loader) is triggered by a maliciously crafted file requiring user interaction to open, directly enabling client-side exploitation and arbitrary code execution via malicious files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or…

zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.

Deeper analysisAI

CVE-2026-31970 is a heap buffer overflow vulnerability in HTSlib, a C library for high-throughput sequencing data storage used in bioinformatics applications for reading and writing file formats like block-compressed GZIP (BGZF) files. The issue occurs in the GZI index loading function, `bgzf_index_load_hfile()`, where an integer overflow can result in an under- or zero-sized buffer allocation. Subsequent operations write 16 zero bytes to this buffer and may load additional file data, leading to overflow. When the function fails to read the expected records, it attempts to free the overflowed heap buffer. This affects HTSlib versions prior to the fixes in 1.23.1, 1.22.2, and 1.21.1.

Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges required, but it necessitates user interaction, such as opening a maliciously crafted GZI index file paired with a BGZF file. Successful exploitation causes heap buffer overflow, potentially crashing the affected program, overwriting heap data structures, or enabling arbitrary code execution depending on the application's context and memory layout.

The HTSlib security advisory (GHSA-p345-84hx-fq6q) and corresponding patch commit detail fixes in versions 1.23.1, 1.22.2, and 1.21.1. A recommended workaround is to discard GZI index files from untrusted sources and regenerate them using the `bgzip -r` option, as announced in the OSS-security mailing list on 2026-03-18. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and maps to CWEs 122, 131, 190, 787, and 1284.

Details

CWE(s): CWE-122 CWE-131 CWE-190 CWE-787 CWE-1284

Affected Products

htslib

1.23 · ≤ 1.21 · 1.22 — 1.22.2

CVEs Like This One

CVE-2026-31969Same product: Htslib Htslib

CVE-2026-31963Same product: Htslib Htslib

CVE-2026-31968Same product: Htslib Htslib

CVE-2026-31962Same product: Htslib Htslib

CVE-2026-31971Same product: Htslib Htslib

CVE-2026-31965Same product: Htslib Htslib

CVE-2026-31967Same product: Htslib Htslib

CVE-2026-31964Same product: Htslib Htslib

CVE-2026-31966Same product: Htslib Htslib

CVE-2025-24439Shared CWE-122, CWE-787

References

https://github.com/samtools/htslib/commit/6dd0d7d0e9e7e2e173a28969e624db8bc8bb5828
Patch · security-advisories@github.com
https://github.com/samtools/htslib/security/advisories/GHSA-p345-84hx-fq6q
Mitigation, Patch, Vendor Advisory · security-advisories@github.com
http://www.openwall.com/lists/oss-security/2026/03/18/9
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108