CVE-2026-31970
CVE-2026-31970 is a high-severity vulnerability in Htslib with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v4: 7.1
- EPSS exploit prediction: 0% (36th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-12946
- Weakness: CWE-122
- Affected product: Htslib
- Published:
- Last modified:
Description
HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.
Frequently asked questions
- What is CVE-2026-31970?
- HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.
- How severe is CVE-2026-31970?
- CVE-2026-31970 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability high.
- Is CVE-2026-31970 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (36th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-31970?
- CVE-2026-31970 primarily affects Htslib. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-31970?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-31970 have an EU (EUVD) identifier?
- Yes. CVE-2026-31970 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12946.
- When was CVE-2026-31970 published?
- CVE-2026-31970 was published on 2026-03-18 and last updated on 2026-06-17.
References
- https://github.com/samtools/htslib/commit/6dd0d7d0e9e7e2e173a28969e624db8bc8bb5828
- https://github.com/samtools/htslib/security/advisories/GHSA-p345-84hx-fq6q
- http://www.openwall.com/lists/oss-security/2026/03/18/9
Affected products (2)
- cpe:2.3:a:htslib:htslib:*:*:*:*:*:*:*:*
- cpe:2.3:a:htslib:htslib:1.23:*:*:*:*:*:*:*
More vulnerabilities in Htslib
- CVE-2018-13845 — Critical (CVSS 9.8): An issue has been found in HTSlib 1.8. It is a buffer over-read in sam_parse1 in sam.c.
- CVE-2017-1000206 — Critical (CVSS 9.8): samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in…
- CVE-2026-31967 — Critical (CVSS 9.1): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2026-31966 — Critical (CVSS 9.1): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2026-31962 — High (CVSS 8.8): HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA…
- CVE-2020-36403 — High (CVSS 8.8): HTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).
Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities
- CVE-2026-46752 — Critical (CVSS 10.0): Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from…
- CVE-2026-24822 — Critical (CVSS 10.0): Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is…
- CVE-2025-23123 — Critical (CVSS 10.0): A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a…
- CVE-2022-34819 — Critical (CVSS 10.0): A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions <…
- CVE-2026-44050 — Critical (CVSS 9.9): A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote…
- CVE-2026-49841 — Critical (CVSS 9.8): FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to…
Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →