CVE-2026-31966 Overview
CVE-2026-31966 is an Out-of-Bounds Read vulnerability affecting HTSlib, a widely-used library for reading and writing bioinformatics file formats including CRAM (Compressed Reference-oriented Alignment Map). The vulnerability exists in the cram_decode_seq() function, which processes CRAM format DNA sequence alignment data. Due to insufficient validation of feature data series during CRAM record decoding, attackers can craft malicious CRAM files that cause the library to read data from memory locations outside the intended reference buffer boundaries.
Critical Impact
This vulnerability allows arbitrary data leakage from program memory and can cause application crashes through invalid memory access when processing maliciously crafted CRAM files.
Affected Products
- HTSlib versions prior to 1.21.1
- HTSlib versions 1.22.x prior to 1.22.2
- HTSlib version 1.23 (prior to 1.23.1)
Discovery Timeline
- March 18, 2026 - CVE-2026-31966 published to NVD
- March 19, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31966
Vulnerability Analysis
The vulnerability resides in the CRAM file format decoder within HTSlib. CRAM uses reference-based compression to efficiently store DNA sequence alignment data by storing locations in external reference sequences along with differences (features) rather than full sequences. When decoding CRAM records, the reference data is stored in a char array, and matching portions are copied to output buffers as needed.
The cram_decode_seq() function fails to properly validate feature data boundaries before performing memory copy operations. This allows attackers to construct CRAM files with feature data that references positions before the start or after the end of the stored reference buffer. The out-of-bounds data can be leaked into either the output sequence buffer or the buffer used to construct the SAM MD tag, both of which are returned to the calling function.
The vulnerability is exploitable through three distinct attack vectors: accessing data beyond the reference end boundary, processing negative-length D, H, P, or N features, and specifying records that start before the current reference segment.
Root Cause
The root cause is insufficient bounds checking in the CRAM feature decoding logic. The original code used > comparisons where >= was required, failed to reject negative-length feature values, and did not validate that record positions fall within the current reference segment boundaries. These oversights allowed malformed CRAM files to trigger out-of-bounds memory reads.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious CRAM file containing:
- Features with positions that exceed the reference buffer end boundary
- Negative-length deletion (D), hard clip (H), padding (P), or skip (N) features
- Alignment records positioned before the current reference segment start
When a vulnerable application processes such a file using HTSlib, the library reads memory outside the intended buffer, potentially leaking sensitive program state information or causing a crash.
// Fix for boundary check in feature decoding
// Source: https://github.com/samtools/htslib/commit/22ec5230ef95769ab009420da69568c7e530af28
break;
} else {
if (decode_md) {
- if (ref_pos + x > s->ref_end)
+ if (ref_pos + x >= s->ref_end)
goto beyond_slice;
char r = s->ref[ref_pos+x-s->ref_start +1];
BLOCK_APPEND_CHAR(s->aux_blk, r);
// Fix to reject negative-length features
// Source: https://github.com/samtools/htslib/commit/2a45eb129d703ad27f9fabc8169f0e94d3c69fa3
r |= codecs[DS_DL]->decode(s, codecs[DS_DL], blk,
(char *)&i32, &out_sz);
if (r) return r;
+ if (i32 < 0)
+ goto beyond_slice;
if (decode_md || decode_nm) {
if (ref_pos + i32 > s->ref_end)
goto beyond_slice;
// Fix to catch records starting before reference segment
// Source: https://github.com/samtools/htslib/commit/4a5ef25eb1fb3d64438103316fffe423b2c3f5f4
cr->apos += s->last_apos;
}
s->last_apos= cr->apos;
+
+ if (s->hdr->ref_seq_id >= 0 && cr->apos < s->hdr->ref_seq_start)
+ goto block_err;
} else {
cr->apos = c->ref_seq_start;
}
Detection Methods for CVE-2026-31966
Indicators of Compromise
- Unexpected application crashes when processing CRAM files from untrusted sources
- Memory access violations or segmentation faults in bioinformatics pipelines
- Unusual data appearing in decoded SAM/BAM output that doesn't match expected sequence data
- Application memory dumps containing unexpected reference to program state
Detection Strategies
- Monitor applications using HTSlib for abnormal memory access patterns during CRAM file processing
- Implement file integrity validation for CRAM files before processing with vulnerable library versions
- Deploy memory safety tools (AddressSanitizer, Valgrind) in development and testing environments to detect out-of-bounds reads
- Review application logs for HTSlib-related errors when processing external CRAM data
Monitoring Recommendations
- Audit systems for installed HTSlib versions and identify instances running versions prior to 1.21.1, 1.22.2, or 1.23.1
- Implement application-level monitoring for unusual behavior during bioinformatics file processing
- Track the source and integrity of CRAM files processed by research pipelines
- Enable crash reporting and analysis for applications dependent on HTSlib
How to Mitigate CVE-2026-31966
Immediate Actions Required
- Upgrade HTSlib to patched versions: 1.21.1, 1.22.2, or 1.23.1 immediately
- Restrict processing of CRAM files to trusted sources only until patches are applied
- Review and rebuild all applications and tools that depend on HTSlib with the updated library
- Implement input validation at the application layer to reject potentially malformed CRAM files
Patch Information
HTSlib maintainers have released security patches across multiple supported versions. The fixes address the boundary checking issues in the CRAM decoder by:
- Correcting the off-by-one error in reference end boundary checks (changing > to >=)
- Adding validation to reject negative-length D, H, P, and N features
- Implementing checks to ensure alignment records do not start before the current reference segment
Fixed versions:
- HTSlib 1.21.1 for the 1.21.x branch
- HTSlib 1.22.2 for the 1.22.x branch
- HTSlib 1.23.1 for the 1.23.x branch
Patch commits are available via the GitHub Security Advisory.
Workarounds
- There is no workaround for this vulnerability according to the vendor advisory
- Users must upgrade to the patched versions to remediate the vulnerability
- As a temporary measure, avoid processing CRAM files from untrusted or unknown sources
- Consider using alternative file formats (BAM/SAM) if immediate patching is not possible, though this is not a complete mitigation
# Upgrade HTSlib to patched version
# Check current version
htsfile --version
# Install updated HTSlib (example for source installation)
wget https://github.com/samtools/htslib/releases/download/1.23.1/htslib-1.23.1.tar.bz2
tar -xjf htslib-1.23.1.tar.bz2
cd htslib-1.23.1
./configure
make
sudo make install
# Verify updated version
htsfile --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
