CVE-2026-31962

EPSS 0.06%
Veröffentlicht 18.03.2026 18:08:26
Zuletzt bearbeitet 19.03.2026 17:30:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some quirks of the CRAM format, it is necessary to handle these records carefully as they will actually store data that needs to be consumed and then discarded. Unfortunately the `cram_decode_seq()` did not handle this correctly in some cases. Where this happened it could result in reading a single byte from beyond the end of a heap allocation, followed by writing a single attacker-controlled byte to the same location. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program.  It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 4 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Htslib ≫ Htslib Version < 1.21.1

Htslib ≫ Htslib Version >= 1.22 < 1.22.2

Htslib ≫ Htslib Version1.23

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.173

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/samtools/htslib/security/advisories/GHSA-xxmp-v7h3-gpwp

Patch

Vendor Advisory

https://github.com/samtools/htslib/commit/d799b54c6401879187bba4741be83ff590ac73e3

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31962

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31962

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31962

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31962