CVE-2026-31968 Overview
CVE-2026-31968 is a high-severity buffer overflow vulnerability in HTSlib, a widely-used C library for reading and writing high-throughput sequencing data formats in bioinformatics applications. The vulnerability exists in the CRAM file format parser, specifically in the handling of VARINT and CONST encodings. Due to incomplete validation of the context in which these encodings are used, attackers can trigger memory corruption that could lead to arbitrary code execution.
Critical Impact
A maliciously crafted CRAM file can cause heap or stack buffer overflows, potentially enabling arbitrary code execution when processed by applications using vulnerable HTSlib versions.
Affected Products
- HTSlib versions prior to 1.21.1
- HTSlib versions 1.22.x prior to 1.22.2
- HTSlib version 1.23 prior to 1.23.1
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-31968 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31968
Vulnerability Analysis
The vulnerability resides in the CRAM codec implementation within cram/cram_codecs.c. CRAM is a compressed format designed for storing DNA sequence alignment data, utilizing various encodings and compression methods for efficiency. The VARINT_UNSIGNED and VARINT_SIGNED codecs failed to properly validate the option parameter that determines which decode function should be used.
In the vulnerable code path, the codec selection logic used a simple ternary operator that only checked for E_INT, defaulting to long-type decoders for any other value. This lack of strict validation meant that unexpected option values could result in incorrect decoder assignment, leading to mismatched data type handling. When processing malformed input, up to eight bytes could be written beyond the end of a heap allocation, or eight bytes could be written to a one-byte stack variable location, corrupting adjacent memory.
Root Cause
The root cause is insufficient input validation in the codec initialization logic. The original implementation assumed only valid option values (E_INT or E_LONG variants) would be passed to the varint codec setup functions. Without explicit validation, unexpected option values would still be processed, potentially pairing incompatible decode functions with data buffers of incorrect sizes. This represents CWE-121 (Stack-based Buffer Overflow) where the overflow condition stems from improper bounds checking during codec configuration.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction beyond opening a malicious file. An attacker crafts a specially formed CRAM file containing malformed codec option values within the compression header. When a victim application using HTSlib opens this file, the parser processes the malformed encoding specification, triggering the buffer overflow condition.
The exploitation path involves:
- Creating a CRAM file with manipulated codec option fields in the compression block
- Distributing the malicious file (via email, shared storage, or research data repositories)
- Victim application processes the file using a vulnerable HTSlib version
- Memory corruption occurs during codec initialization
- Depending on heap/stack layout, attacker gains control flow manipulation or crashes the application
// Security patch in cram/cram_codecs.c - Improve option checking for varint and const codecs
// does not change.
switch(codec) {
case E_VARINT_UNSIGNED:
- c->decode = (option == E_INT)
- ? cram_varint_decode_int
- : cram_varint_decode_long;
+ if (option == E_INT || option == E_SINT)
+ c->decode = cram_varint_decode_int;
+ else if (option == E_LONG || option == E_SLONG)
+ c->decode = cram_varint_decode_long;
+ else
+ goto malformed;
break;
case E_VARINT_SIGNED:
- c->decode = (option == E_INT)
- ? cram_varint_decode_sint
- : cram_varint_decode_slong;
+ if (option == E_INT || option == E_SINT)
+ c->decode = cram_varint_decode_sint;
+ else if (option == E_LONG || option == E_SLONG)
+ c->decode = cram_varint_decode_slong;
+ else
+ goto malformed;
break;
default:
- return NULL;
+ goto malformed;
}
c->free = cram_varint_decode_free;
Source: GitHub Commit Changes
Detection Methods for CVE-2026-31968
Indicators of Compromise
- Unexpected crashes in bioinformatics applications processing CRAM files with stack traces pointing to cram_codecs.c or varint decode functions
- Anomalous CRAM files with unusual or invalid codec option values in compression headers
- Memory corruption indicators such as heap canary violations or stack smashing detected errors
- Application core dumps indicating buffer overflows during file parsing operations
Detection Strategies
- Deploy file integrity monitoring on CRAM file storage locations to identify potentially malicious file modifications
- Implement runtime memory protection tools (AddressSanitizer, Valgrind) in development and testing environments to catch overflow conditions
- Monitor application logs for segmentation faults or memory access violations during CRAM file processing
- Use static analysis tools to identify HTSlib version dependencies across your software inventory
Monitoring Recommendations
- Enable enhanced logging for bioinformatics pipeline applications to capture file processing failures
- Configure endpoint detection to alert on application crashes associated with HTSlib-dependent processes
- Implement network monitoring for CRAM file transfers from untrusted sources
- Set up vulnerability scanning to track HTSlib versions deployed across research infrastructure
How to Mitigate CVE-2026-31968
Immediate Actions Required
- Upgrade HTSlib to patched versions: 1.23.1, 1.22.2, or 1.21.1 immediately
- Audit systems to identify all applications and pipelines using HTSlib
- Restrict processing of CRAM files from untrusted sources until patching is complete
- Rebuild dependent applications (samtools, bcftools, etc.) against the patched HTSlib version
Patch Information
The HTSlib maintainers have released security patches in versions 1.23.1, 1.22.2, and 1.21.1. The fix adds explicit validation of the option parameter in varint and const codec initialization, rejecting invalid option values by jumping to a malformed error handler rather than proceeding with potentially dangerous decoder assignments. The patch is available via the GitHub Security Advisory GHSA-cgcm-c9r2-p57j and the patch commit.
Workarounds
- There is no workaround available for this vulnerability according to the vendor advisory
- The only mitigation is upgrading to a patched HTSlib version
- Consider temporarily disabling CRAM file support if your workflows can use alternative formats (BAM/SAM) until patching is complete
# Verify installed HTSlib version and upgrade
# Check current version
htsfile --version
# Update via package manager (example for conda)
conda update -c bioconda htslib
# Or compile from patched source
git clone https://github.com/samtools/htslib.git
cd htslib
git checkout 1.23.1
make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
