CVE-2026-31968
CVE-2026-31968 is a high-severity vulnerability in Htslib with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-121.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v4: 8.8
- EPSS exploit prediction: 0% (33rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-12942
- Weakness: CWE-121
- Affected product: Htslib
- Published:
- Last modified:
Description
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Frequently asked questions
- What is CVE-2026-31968?
- HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For the `VARINT` and `CONST` encodings, incomplete validation of the context in which the encodings were used could result in up to eight bytes being written beyond the end of a heap allocation, or up to eight bytes being written to the location of a one byte variable on the stack, possibly causing the values to adjacent variables to change unexpectedly. Depending on the data stream this could result either in a heap buffer overflow or a stack overflow. If a user opens a file crafted to exploit this issue it could lead to the program crashing, overwriting of data structures on the heap or stack in ways not expected by the program, or changing the control flow of the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
- How severe is CVE-2026-31968?
- CVE-2026-31968 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability high.
- Is CVE-2026-31968 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (33rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-31968?
- CVE-2026-31968 primarily affects Htslib. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-31968?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-31968 have an EU (EUVD) identifier?
- Yes. CVE-2026-31968 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12942.
- When was CVE-2026-31968 published?
- CVE-2026-31968 was published on 2026-03-18 and last updated on 2026-06-17.
References
- https://github.com/samtools/htslib/commit/0ec436796eca7b4ce7fcc9b77270c102da29bb2e
- https://github.com/samtools/htslib/security/advisories/GHSA-cgcm-c9r2-p57j
Affected products (2)
- cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
- cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
More vulnerabilities in Htslib
- CVE-2018-13845 — Critical (CVSS 9.8): An issue has been found in HTSlib 1.8. It is a buffer over-read in sam_parse1 in sam.c.
- CVE-2017-1000206 — Critical (CVSS 9.8): samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in…
- CVE-2026-31967 — Critical (CVSS 9.1): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2026-31966 — Critical (CVSS 9.1): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2026-31962 — High (CVSS 8.8): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2020-36403 — High (CVSS 8.8): HTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).
Other CWE-121 (Stack-based Buffer Overflow) vulnerabilities
- CVE-2026-12848 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12847 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12846 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12485 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-37541 — Critical (CVSS 10.0): Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length…
- CVE-2026-42996 — Critical (CVSS 10.0): JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of…
Browse all CWE-121 (Stack-based Buffer Overflow) vulnerabilities →