FKIE_CVE-2026-31963

Vulnerability from fkie_nvd - Published: 2026-03-18 19:16 - Updated: 2026-03-19 14:50
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Summary
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
References
security-advisories@github.comhttps://github.com/samtools/htslib/commit/8bcc9907be0f945ddc31796d64f078fa05456acdPatch
security-advisories@github.comhttps://github.com/samtools/htslib/security/advisories/GHSA-qgqh-h2q9-7w3cPatch, Vendor Advisory
Impacted products
Vendor Product Version
htslib htslib *
htslib htslib *
htslib htslib 1.23
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288",
              "versionEndExcluding": "1.21.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C",
              "versionEndExcluding": "1.22.2",
              "versionStartIncluding": "1.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of \"features\". When decoding these features, an out-by-one error in a test for CRAM features that appear beyond the extent of the CRAM record sequence could result in an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program.  It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."
    },
    {
      "lang": "es",
      "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinform\u00e1tica. CRAM es un formato comprimido que almacena datos de alineaci\u00f3n de secuencias de ADN. Como un m\u00e9todo para eliminar datos redundantes, CRAM utiliza compresi\u00f3n basada en referencias de modo que, en lugar de almacenar la secuencia completa para cada registro de alineaci\u00f3n, almacena una ubicaci\u00f3n en una secuencia de referencia externa junto con una lista de diferencias con la referencia en esa ubicaci\u00f3n como una secuencia de \u0027features\u0027. Al decodificar estas \u0027features\u0027, un error por uno en una prueba para \u0027features\u0027 de CRAM que aparecen m\u00e1s all\u00e1 del alcance de la secuencia de registro de CRAM podr\u00eda resultar en una escritura inv\u00e1lida de un byte controlado por el atacante m\u00e1s all\u00e1 del final de un b\u00fafer de pila. Explotar este error causa un desbordamiento de b\u00fafer de pila. Si un usuario abre un archivo dise\u00f1ado para explotar este problema, podr\u00eda provocar el bloqueo del programa o la sobrescritura de datos y estructuras de pila de formas no esperadas por el programa. Podr\u00eda ser posible usar esto para obtener ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay soluci\u00f3n alternativa para este problema."
    }
  ],
  "id": "CVE-2026-31963",
  "lastModified": "2026-03-19T14:50:54.513",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T19:16:04.440",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/samtools/htslib/commit/8bcc9907be0f945ddc31796d64f078fa05456acd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/samtools/htslib/security/advisories/GHSA-qgqh-h2q9-7w3c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-122"
        },
        {
          "lang": "en",
          "value": "CWE-129"
        },
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.