CVE-2026-31972 Overview
CVE-2026-31972 is a Use After Free (UAF) vulnerability in SAMtools, a widely-used bioinformatics tool for reading, manipulating, and writing sequence alignment/map (SAM/BAM) format files. The vulnerability exists in the mpileup command, which outputs DNA sequences aligned against a known reference. Under certain conditions, reference data can be discarded prematurely, leading to an attempt to read from a pointer to freed memory.
Critical Impact
This vulnerability may allow information about program state to be leaked, potentially exposing sensitive genomic data or internal memory contents. It may also cause program crashes through invalid memory access, disrupting bioinformatics workflows.
Affected Products
- SAMtools versions prior to 1.21.1
- SAMtools versions prior to 1.22
- All installations using the mpileup command with reference files
Discovery Timeline
- 2026-03-18 - CVE-2026-31972 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31972
Vulnerability Analysis
This Use After Free vulnerability occurs in the mpileup command's reference data management logic. The mpileup command processes DNA sequence alignments by outputting the reference position and all DNA bases aligned to that position. To optimize memory usage, the command discards reference data that is no longer needed after it has been printed.
The root cause lies in the buffer management structure within bam_plcmd.c. The original implementation used a two-element buffer (ref[2], ref_id[2], ref_len[2]) for storing reference data, which proved insufficient under certain processing conditions. This buffer undersize led to premature freeing of reference data that was still being accessed by other parts of the code.
Root Cause
The vulnerability stems from inadequate buffer sizing in the mplp_ref_t structure used to track reference data. The two-slot buffer design failed to account for edge cases where more reference tracking slots were needed, causing the system to overwrite or free data that was still in active use. This is a classic memory management issue where buffer capacity did not match operational requirements.
Attack Vector
The vulnerability is exploitable over the network by supplying specially crafted BAM/SAM files or reference data to a SAMtools instance running mpileup. An attacker could potentially:
- Craft malicious alignment files that trigger the premature data discard condition
- Cause information leakage by reading freed memory contents
- Trigger denial of service through program crashes
The patch addresses this by expanding the buffer from two to three elements:
} mplp_conf_t;
typedef struct {
- char *ref[2];
- int ref_id[2];
- hts_pos_t ref_len[2];
+ char *ref[3];
+ int ref_id[3];
+ hts_pos_t ref_len[3];
} mplp_ref_t;
-#define MPLP_REF_INIT {{NULL,NULL},{-1,-1},{0,0}}
+#define MPLP_REF_INIT {{NULL,NULL,NULL},{-1,-1,-1},{0,0,0}}
typedef struct {
samFile *fp;
Source: GitHub Commit 3036eb9af945fcef359427a2d359855553da4adf
Detection Methods for CVE-2026-31972
Indicators of Compromise
- Unexpected crashes in SAMtools during mpileup operations
- Abnormal memory access patterns in SAMtools processes
- Unusual output corruption or garbled reference data in mpileup results
- Process termination with segmentation fault signals during sequence alignment operations
Detection Strategies
- Monitor SAMtools processes for segmentation faults or abnormal termination
- Implement application logging to capture unexpected behavior during mpileup command execution
- Deploy memory sanitizers (AddressSanitizer) in development/testing environments to detect use-after-free conditions
- Review system logs for repeated SAMtools process crashes
Monitoring Recommendations
- Configure process monitoring for SAMtools instances to alert on unexpected terminations
- Implement file integrity monitoring on bioinformatics pipeline inputs
- Monitor for unusual patterns of SAMtools restarts or error messages
- Enable core dump analysis for crashed SAMtools processes to identify exploitation attempts
How to Mitigate CVE-2026-31972
Immediate Actions Required
- Upgrade SAMtools to version 1.21.1 or 1.22 immediately
- Audit systems for affected SAMtools versions using samtools --version
- Restrict network access to systems running vulnerable SAMtools instances
- Review and validate input sources for mpileup operations
Patch Information
The SAMtools development team has released fixed versions addressing this vulnerability. Users should update to SAMtools version 1.21.1 or 1.22 which contain the corrected buffer sizing in the mplp_ref_t structure. The fix is available in commit 3036eb9af945fcef359427a2d359855553da4adf. For detailed information, refer to the GitHub Security Advisory GHSA-72c8-4jf3-f27p.
Workarounds
- There is no workaround for this issue - upgrading is required
- As a temporary measure, restrict access to SAMtools instances from untrusted networks
- Validate and sanitize all input files processed by mpileup
- Consider running SAMtools in isolated containers with memory limits to contain potential crashes
# Verify SAMtools version and upgrade if necessary
samtools --version
# On Debian/Ubuntu systems with bioconda
conda update -c bioconda samtools
# Building from source with the fix
git clone https://github.com/samtools/samtools.git
cd samtools
git checkout 1.22
make
make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
