CVE-2026-31973 Overview
CVE-2026-31973 is a NULL Pointer Dereference vulnerability in SAMtools, a widely-used bioinformatics program for reading, manipulating, and writing bioinformatics file formats. The vulnerability exists in the cram-size command, which is used to write information about how well CRAM files are compressed. Starting in version 1.17, a missing check for the return value of cram_decode_compression_header() can lead to a NULL pointer dereference when the function returns an error.
Critical Impact
Exploitation of this vulnerability causes a NULL pointer dereference, typically resulting in program crashes and denial of service conditions affecting bioinformatics workflows and research pipelines.
Affected Products
- SAMtools versions 1.17 through 1.21.0
- SAMtools versions 1.22.0 through 1.22.1
- SAMtools version 1.23
Discovery Timeline
- 2026-03-18 - CVE-2026-31973 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31973
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw resides in the cram_size.c file, which handles CRAM file compression analysis. When processing CRAM files, the cram-size command calls cram_decode_compression_header() to decode compression header information. However, the code fails to verify whether this function returns successfully or encounters an error condition.
When cram_decode_compression_header() returns an error (typically a NULL pointer), the subsequent code continues execution assuming valid data was returned. This leads to dereferencing a NULL pointer, causing an immediate crash of the SAMtools process. The vulnerability is network-accessible since maliciously crafted CRAM files can be delivered remotely and processed by vulnerable SAMtools installations.
Root Cause
The root cause is insufficient error handling in the cram_size.c source file. The code assumes that cram_decode_compression_header() will always succeed and does not implement proper validation of the function's return value. This missing defensive programming pattern allows error conditions to propagate into operations that cannot safely handle NULL pointers, resulting in undefined behavior and crashes.
Attack Vector
An attacker can exploit this vulnerability by providing a specially crafted CRAM file that triggers an error condition in cram_decode_compression_header(). When a user or automated pipeline processes this malicious file using the cram-size command, the NULL pointer dereference occurs, crashing the application. This attack vector is particularly relevant in bioinformatics environments where CRAM files are frequently exchanged between research institutions or downloaded from public repositories.
/* cram_size.c -- produces summary of the size of each cram data-series
- Copyright (C) 2023 Genome Research Ltd.
+ Copyright (C) 2023,2026 Genome Research Ltd.
Author: James Bonfield <jkb@sanger.ac.uk>
Source: GitHub Commit
The patch updates the cram_size.c file to include proper error handling for the cram_decode_compression_header() function return value, preventing NULL pointer dereferences when the function fails.
Detection Methods for CVE-2026-31973
Indicators of Compromise
- Unexpected SAMtools process crashes when processing CRAM files
- Core dumps or segmentation fault signals (SIGSEGV) from SAMtools processes
- Repeated failures in bioinformatics pipelines involving the cram-size command
Detection Strategies
- Monitor for abnormal termination of SAMtools processes with NULL pointer dereference signatures
- Implement file integrity checking for incoming CRAM files before processing
- Deploy application crash monitoring to detect patterns of exploitation attempts
Monitoring Recommendations
- Enable crash reporting and logging for all SAMtools instances in production environments
- Set up alerting for repeated SAMtools process failures within short time windows
- Monitor file processing queues for suspicious CRAM files that consistently cause failures
How to Mitigate CVE-2026-31973
Immediate Actions Required
- Upgrade SAMtools to patched versions 1.21.1, 1.22.2, or 1.23.1 immediately
- Review and audit all bioinformatics pipelines using SAMtools for exposure to untrusted CRAM files
- Implement input validation for CRAM files before processing with SAMtools
Patch Information
The SAMtools development team has released patches in versions 1.21.1, 1.22.2, and 1.23.1. The fix implements proper error checking for the cram_decode_compression_header() function return value. Organizations should update to the appropriate patched version based on their current deployment:
- For SAMtools 1.21.x: Upgrade to 1.21.1
- For SAMtools 1.22.x: Upgrade to 1.22.2
- For SAMtools 1.23: Upgrade to 1.23.1
The security fix is available via the GitHub Security Advisory and the specific commit change.
Workarounds
- No workarounds are available for this vulnerability according to the vendor advisory
- The only effective mitigation is upgrading to a patched version of SAMtools
# Upgrade SAMtools to a patched version
# Example using conda (common in bioinformatics environments)
conda update samtools
# Verify the installed version is patched
samtools --version
# Ensure version is 1.21.1, 1.22.2, or 1.23.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
