CVE-2026-31965 Overview
CVE-2026-31965 is an Out-of-Bounds Read vulnerability affecting HTSlib, a widely-used library for reading and writing bioinformatics file formats. The vulnerability exists in the cram_decode_slice() function, which is called when processing CRAM (Compressed Reference-oriented Alignment Map) files containing DNA sequence alignment data. Due to insufficient validation of the reference ID field, two out-of-bounds reads can occur before the invalid data is detected, potentially leaking memory values or causing program crashes.
Critical Impact
Network-accessible out-of-bounds read vulnerability can leak sensitive memory values and cause denial of service in bioinformatics applications processing untrusted CRAM files.
Affected Products
- HTSlib versions prior to 1.21.1
- HTSlib versions 1.22.x prior to 1.22.2
- HTSlib version 1.23 (fixed in 1.23.1)
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-31965 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31965
Vulnerability Analysis
The vulnerability resides in HTSlib's CRAM file decoder, specifically within the cram_decode_slice() function. CRAM is a compressed format designed for efficient storage of DNA sequence alignment data, commonly used in bioinformatics pipelines and genomic research applications.
The core issue stems from a validation timing problem where the reference ID field and mate reference ID are not properly checked before being used to access memory. This allows an attacker who can supply a maliciously crafted CRAM file to trigger two separate out-of-bounds read operations. While the function does eventually report an error when detecting the invalid data, the memory accesses have already occurred by that point.
The impact includes potential information disclosure where two values from unauthorized memory locations could be leaked to the caller, and denial of service through program crashes when attempting to access invalid memory addresses.
Root Cause
The root cause is improper input validation (CWE-125: Out-of-bounds Read) where the reference ID field validation occurred too late in the processing sequence. The cram_decode_slice() function performed memory access operations using the reference ID and mate reference ID values before verifying they fell within valid bounds, creating a window for exploitation.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious CRAM file with invalid reference ID fields and delivering it to a target system running vulnerable versions of HTSlib. The attack is network-accessible, requiring no authentication or user interaction beyond processing the malicious file. Exploitation scenarios include:
- Uploading malicious CRAM files to bioinformatics processing pipelines
- Submitting crafted files to genomic data analysis services
- Compromising shared research datasets with malformed CRAM records
The security patch adds more comprehensive checks for valid CRAM reference ID and mate reference ID values before any memory access occurs:
/*
-Copyright (c) 2012-2020, 2022-2025 Genome Research Ltd.
+Copyright (c) 2012-2020, 2022-2026 Genome Research Ltd.
Author: James Bonfield <jkb@sanger.ac.uk>
Redistribution and use in source and binary forms, with or without
Source: GitHub Commit
Detection Methods for CVE-2026-31965
Indicators of Compromise
- Unexpected crashes in applications using HTSlib when processing CRAM files
- Memory access violations or segmentation faults during CRAM file decoding operations
- Error messages from cram_decode_slice() function indicating invalid reference IDs
- Anomalous CRAM files with malformed reference ID fields in file processing queues
Detection Strategies
- Implement file integrity monitoring for CRAM files entering bioinformatics pipelines
- Monitor application logs for repeated errors from HTSlib CRAM decoding functions
- Deploy runtime application self-protection (RASP) to detect memory access anomalies
- Use static analysis tools to identify vulnerable HTSlib versions in deployed applications
Monitoring Recommendations
- Enable verbose logging for bioinformatics applications processing external CRAM files
- Implement memory sanitizers (AddressSanitizer) in development and testing environments
- Monitor for unusual patterns in CRAM file submissions from external sources
- Track HTSlib version deployments across infrastructure for vulnerability management
How to Mitigate CVE-2026-31965
Immediate Actions Required
- Upgrade HTSlib to patched versions: 1.23.1, 1.22.2, or 1.21.1 depending on your version branch
- Audit systems to identify all applications and pipelines using vulnerable HTSlib versions
- Implement input validation for CRAM files from untrusted sources before processing
- Consider temporarily restricting CRAM file processing from external/untrusted sources until patching is complete
Patch Information
The HTSlib development team has released security patches across multiple version branches. The fix adds comprehensive validation checks for CRAM reference ID and mate reference ID fields before any memory access operations occur in the cram_decode_slice() function.
Fixed Versions:
- 1.23.1 (for 1.23.x branch)
- 1.22.2 (for 1.22.x branch)
- 1.21.1 (for 1.21.x branch)
Patches are available through the GitHub Security Advisory and the commit fix.
Workarounds
- No workaround is available for this vulnerability according to the vendor advisory
- Upgrading to a patched version is the only remediation path
- As a temporary measure, restrict processing of CRAM files to trusted sources only
- Consider implementing additional file validation layers before HTSlib processing
# Check installed HTSlib version
htsfile --version
# Update HTSlib via package manager (example for apt-based systems)
sudo apt update && sudo apt install htslib
# Or compile from source with the patched version
git clone https://github.com/samtools/htslib.git
cd htslib
git checkout 1.23.1
make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
