CVE-2026-31969 Overview
CVE-2026-31969 is a heap buffer overflow vulnerability in HTSlib, a widely-used library for reading and writing bioinformatics file formats including CRAM (Compressed Reference-oriented Alignment Map). The vulnerability exists in the cram_byte_array_stop_decode_char() function, where an off-by-one error in the buffer boundary check allows a single attacker-controlled byte to be written beyond the end of a heap allocation when processing maliciously crafted CRAM files.
Critical Impact
This heap buffer overflow could allow attackers to crash bioinformatics applications, corrupt heap data structures, and potentially achieve arbitrary code execution through specially crafted CRAM files.
Affected Products
- HTSlib versions prior to 1.21.1
- HTSlib versions 1.22.x prior to 1.22.2
- HTSlib version 1.23
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-31969 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31969
Vulnerability Analysis
This vulnerability affects the CRAM file format decoder within HTSlib. CRAM is a compressed format designed for storing DNA sequence alignment data using various encoding and compression methods. One such encoding method, BYTE_ARRAY_STOP, is used to encode variable-length byte arrays terminated by a specific stop byte.
The flaw resides in the cram_byte_array_stop_decode_char() function, which fails to correctly validate whether the output buffer has sufficient space before writing data. Due to an off-by-one error in the boundary checking logic, when the output buffer is full, the function incorrectly permits one additional byte to be written past the allocated heap buffer boundary.
This type of vulnerability is particularly concerning in the bioinformatics domain where researchers routinely process untrusted data files from public repositories and collaborative research projects. An attacker could craft a malicious CRAM file that, when opened by a vulnerable application using HTSlib, triggers the heap overflow condition.
Root Cause
The root cause is an off-by-one error (CWE-122: Heap-based Buffer Overflow) in the boundary validation logic of the cram_byte_array_stop_decode_char() function. The check meant to prevent writes past the end of the allocated buffer incorrectly uses a comparison operator that allows exactly one byte to be written beyond the buffer boundary. This single-byte overflow, while seemingly minor, can corrupt adjacent heap metadata or data structures, leading to exploitable conditions.
Attack Vector
The attack requires user interaction—a victim must open a maliciously crafted CRAM file using an application that links against a vulnerable version of HTSlib. The attack is network-accessible as malicious files can be distributed via file sharing, email attachments, public data repositories, or compromised research databases.
When the vulnerable code path is triggered during file parsing, the attacker-controlled byte overwrites heap memory. Depending on the heap layout and allocator behavior, this can result in:
- Application crash - Immediate denial of service
- Heap metadata corruption - Enabling heap exploitation techniques
- Arbitrary code execution - Through careful heap manipulation and subsequent allocation patterns
/*
-Copyright (c) 2012-2021,2023, 2025 Genome Research Ltd.
+Copyright (c) 2012-2021,2023, 2025, 2026 Genome Research Ltd.
Author: James Bonfield <jkb@sanger.ac.uk>
Redistribution and use in source and binary forms, with or without
Source: GitHub Commit Update
The security patch corrects the boundary check in the CRAM codec implementation to properly validate buffer limits before writing data.
Detection Methods for CVE-2026-31969
Indicators of Compromise
- Unexpected crashes in applications using HTSlib when processing CRAM files
- Abnormal memory allocation patterns or heap corruption errors in bioinformatics pipelines
- Core dumps or segmentation faults during CRAM file parsing operations
- Suspicious CRAM files with unusual BYTE_ARRAY_STOP encoded data sections
Detection Strategies
- Monitor application logs for crashes or memory errors when processing CRAM format files
- Implement file integrity checks and source validation for CRAM files from external sources
- Use memory sanitizers (AddressSanitizer, Valgrind) during development to detect heap overflows
- Deploy endpoint detection solutions capable of identifying heap exploitation attempts
Monitoring Recommendations
- Track HTSlib version usage across bioinformatics infrastructure and flag vulnerable versions
- Establish alerting for unusual process terminations in genome analysis pipelines
- Monitor network traffic for downloads of CRAM files from untrusted or suspicious sources
- Implement centralized logging for all file processing operations in research environments
How to Mitigate CVE-2026-31969
Immediate Actions Required
- Update HTSlib to patched versions: 1.21.1, 1.22.2, or 1.23.1 immediately
- Audit systems to identify all applications and dependencies using vulnerable HTSlib versions
- Restrict processing of CRAM files to trusted sources until patching is complete
- Review and update any Docker containers, Conda environments, or bioinformatics packages that bundle HTSlib
Patch Information
The HTSlib maintainers have released security updates to address this vulnerability. The fix corrects the boundary checking logic in the cram_byte_array_stop_decode_char() function to prevent the off-by-one heap overflow.
Fixed Versions:
- HTSlib 1.21.1
- HTSlib 1.22.2
- HTSlib 1.23.1
For detailed patch information, refer to the GitHub Security Advisory GHSA-q4cj-f4h5-fqgc and the security patch commit.
Workarounds
- There is no workaround for this vulnerability; patching is the only remediation
- As a temporary risk reduction measure, avoid processing CRAM files from untrusted sources
- Consider using alternative file formats (BAM/SAM) where possible until systems are patched
- Isolate vulnerable systems in sandboxed environments with restricted network access
# Verify HTSlib version and update
# Check current version
htsfile --version
# Update via package manager (example for Conda)
conda update -c bioconda htslib
# Verify updated version is patched
htsfile --version | grep -E "1\.(21\.1|22\.2|23\.1)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
