CVE-2026-31972
Published: 18 March 2026
Summary
CVE-2026-31972 is a critical-severity Use After Free (CWE-416) vulnerability in Samtools Samtools. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of system flaws, directly requiring patching of the use-after-free vulnerability in SAMtools mpileup to fixed versions 1.21.1 or 1.22.
Provides memory protection mechanisms like ASLR and DEP that mitigate exploitation of the use-after-free defect by restricting unauthorized memory access and code execution.
Requires vulnerability scanning to identify systems running vulnerable SAMtools versions affected by CVE-2026-31972.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of vulnerable SAMtools mpileup (use-after-free in file format handling) directly enables T1190 when the tool processes untrusted input in a public-facing or automated service context, consistent with CVSS AV:N/PR:N/UI:N and high impact metrics.
NVD Description
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base…
more
at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31972 is a use-after-free vulnerability (CWE-416) in SAMtools, a program for reading, manipulating, and writing bioinformatics file formats. The issue affects the `mpileup` command, which outputs aligned DNA sequences against a reference by printing reference positions, optional reference bases from a separate file, and aligned bases. Due to output being ordered by position, reference data is discarded after printing, but under certain conditions, it is freed too early, resulting in attempts to read from a pointer to freed memory. This vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and impacts SAMtools versions prior to the fixed releases 1.21.1 and 1.22.
Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation may leak information about the program's internal state or cause a denial-of-service via a crash from invalid memory access, potentially compromising confidentiality, integrity, and availability to a high degree as indicated by the CVSS metrics.
The GitHub security advisory (GHSA-72c8-4jf3-f27p) and commit 3036eb9af945fcef359427a2d359855553da4adf detail the fix applied in SAMtools versions 1.21.1 and 1.22. An announcement on the oss-security mailing list confirms the patch and notes there is no available workaround for this issue. Security practitioners should update to a patched version immediately.
Details
- CWE(s)