FKIE_CVE-2026-31971

Vulnerability from fkie_nvd - Published: 2026-03-18 20:16 - Updated: 2026-03-19 13:58
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Summary
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
References
security-advisories@github.comhttps://github.com/samtools/htslib/commit/01cd003b46fa2ebea4d9be5475b11217eb4c11bePatch
security-advisories@github.comhttps://github.com/samtools/htslib/security/advisories/GHSA-jvx4-4wq7-6fmhPatch, Vendor Advisory
Impacted products
Vendor Product Version
htslib htslib *
htslib htslib *
htslib htslib 1.23
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A069D6B6-FFF6-4DB7-9811-A568ECC4B288",
              "versionEndExcluding": "1.21.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9D525C8-C8AD-4368-A396-EB4D9DA02B1C",
              "versionEndExcluding": "1.22.2",
              "versionStartIncluding": "1.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "AAA6BBB2-76F3-4372-9BAE-FDE157401EFD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When reading data encoded using the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()` failed to validate that the amount of data being unpacked matched the size of the output buffer where it was to be stored. Depending on the data series being read, this could result either in a heap or a stack overflow with attacker-controlled bytes. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue."
    },
    {
      "lang": "es",
      "value": "HTSlib es una biblioteca para leer y escribir formatos de archivo de bioinform\u00e1tica. CRAM es un formato comprimido que almacena datos de alineaci\u00f3n de secuencias de ADN utilizando una variedad de codificaciones y m\u00e9todos de compresi\u00f3n. Al leer datos codificados utilizando el m\u00e9todo \u0027BYTE_ARRAY_LEN\u0027, la funci\u00f3n \u0027cram_byte_array_len_decode()\u0027 no valid\u00f3 que la cantidad de datos que se estaban desempaquetando coincidiera con el tama\u00f1o del b\u00fafer de salida donde se iba a almacenar. Dependiendo de la serie de datos que se leyera, esto podr\u00eda resultar en un desbordamiento de mont\u00f3n o un desbordamiento de pila con bytes controlados por el atacante. Dependiendo del flujo de datos, esto podr\u00eda resultar en un desbordamiento de b\u00fafer en el mont\u00f3n o un desbordamiento de pila. Si un usuario abre un archivo dise\u00f1ado para explotar este problema, podr\u00eda provocar el bloqueo del programa, la sobrescritura de estructuras de datos en el mont\u00f3n o la pila de maneras no esperadas por el programa, o el cambio del flujo de control del programa. Podr\u00eda ser posible usar esto para obtener ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 1.23.1, 1.22.2 y 1.21.1 incluyen correcciones para este problema. No hay una soluci\u00f3n alternativa para este problema."
    }
  ],
  "id": "CVE-2026-31971",
  "lastModified": "2026-03-19T13:58:31.573",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T20:16:22.243",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/samtools/htslib/commit/01cd003b46fa2ebea4d9be5475b11217eb4c11be"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/samtools/htslib/security/advisories/GHSA-jvx4-4wq7-6fmh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-121"
        },
        {
          "lang": "en",
          "value": "CWE-122"
        },
        {
          "lang": "en",
          "value": "CWE-787"
        },
        {
          "lang": "en",
          "value": "CWE-1284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.