CVE-2026-31966 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 19, 2026
HTSlib - Information Disclosure
Published: March 18, 2026Updated: March 19, 2026Remote Exploitable
Overview
HTSlib contains an information disclosure caused by insufficient validation in cram_decode_seq() function when decoding CRAM records, letting attackers leak arbitrary data from memory, exploit requires crafted CRAM data.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can leak arbitrary memory data, potentially exposing sensitive information or causing program crashes.
Mitigation
Update to version 1.23.1, 1.22.2, 1.21.1 or later.
References
- https://github.com/samtools/htslib/commit/22ec5230ef95769ab009420da69568c7e530af28
- https://github.com/samtools/htslib/commit/2a45eb129d703ad27f9fabc8169f0e94d3c69fa3
- https://github.com/samtools/htslib/commit/4a5ef25eb1fb3d64438103316fffe423b2c3f5f4
- https://github.com/samtools/htslib/security/advisories/GHSA-5cj8-mj52-8vp3
Related Resources
Details
- CVE ID
- CVE-2026-31966
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- undefined
- Status
- confirmed
CWE
- CWE-125
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H