CVE-2026-31973
Published: 18 March 2026
Summary
CVE-2026-31973 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Samtools Samtools. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the NULL pointer dereference by applying patches in SAMtools versions 1.23.1, 1.22.2, and 1.21.1 that add the missing error check after cram_decode_compression_header().
Ensures effective error handling for failures like cram_decode_compression_header() returning an error, preventing progression to NULL pointer dereference and crashes.
Validates CRAM file inputs prior to processing to block specially crafted files that trigger the missing error check and subsequent dereference.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in SAMtools cram-size enables remote unauthenticated DoS via crafted CRAM file (AV:N/UI:N), directly mapping to T1190 (exploit public-facing app) for delivery and T1499.004 (application exploitation) for crash-induced availability impact.
NVD Description
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing.…
more
If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Deeper analysisAI
CVE-2026-31973 is a NULL pointer dereference vulnerability (CWE-476) in SAMtools, a program for reading, manipulating, and writing bioinformatics file formats. The issue affects the cram-size command, which is used to output compression statistics for CRAM files, starting from version 1.17. It arises from a missing error check after the call to cram_decode_compression_header(); if the function returns an error, the code proceeds without validation, leading to the dereference. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely by unauthenticated attackers with no user interaction required. By providing a specially crafted CRAM file to the cram-size command, an attacker triggers the NULL pointer dereference, typically causing the SAMtools process to crash and resulting in denial of service due to high availability impact.
Patches are available in SAMtools versions 1.23.1, 1.22.2, and 1.21.1, as detailed in the GitHub commit (https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f), the security advisory (https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43), and the oss-security mailing list announcement (http://www.openwall.com/lists/oss-security/2026/03/18/12). There is no workaround for this issue.
Details
- CWE(s)