HTSlib is a widely used C library for reading and writing bioinformatics file formats such as BAM, SAM, and CRAM, which store DNA sequence alignment data. CRAM is a compressed format that can omit DNA sequence and quality values in certain records to save space. Due to the format's quirks, the cram_decode_seq() function must carefully handle these records, consuming and discarding data appropriately. In vulnerable versions of htslib, cram_decode_seq() incorrectly processes these records, leading to reading one byte beyond the allocated heap buffer and subsequently writing a single attacker-controlled byte to that out-of-bounds location. This results in a heap-based buffer overflow (CWE-122), which can corrupt heap metadata or adjacent memory structures. Such corruption can cause program crashes or be leveraged by attackers to execute arbitrary code remotely without authentication or user interaction. The vulnerability affects multiple versions of htslib, specifically versions before 1.21.1, versions from 1.22 up to but not including 1.22.2, and version 1.23. The issue was fixed in versions 1.21.1, 1.22.2, and 1.23.1. No workarounds exist, and no known exploits have been reported in the wild as of publication. The CVSS 4.0 base score is 8.8, reflecting high severity due to network attack vector, no required privileges or user interaction, and potential for high impact on integrity and availability. The vulnerability is tagged with multiple CWEs related to buffer overflows and improper memory handling (CWE-122, CWE-125, CWE-129, CWE-787).

This vulnerability poses a significant risk to organizations that use htslib for processing genomic data, including research institutions, healthcare providers, pharmaceutical companies, and bioinformatics service providers. Exploitation can lead to denial of service via program crashes, data corruption affecting the integrity of critical genomic datasets, and potentially remote code execution, which could allow attackers to execute arbitrary commands or implant malware within systems handling sensitive genetic information. Given the increasing reliance on genomic data for personalized medicine and research, compromise of these systems could have severe consequences including loss of data confidentiality, disruption of research workflows, and damage to organizational reputation. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the urgency for patching. Although no exploits are known in the wild yet, the public disclosure and high severity score suggest attackers may develop exploits soon, especially targeting organizations with high-value genomic data.

Organizations should immediately identify and inventory all systems and applications using htslib versions prior to 1.21.1, between 1.22 and 1.22.2, or version 1.23. They must upgrade to the fixed versions 1.21.1, 1.22.2, or 1.23.1 as soon as possible. Since no workarounds exist, patching is the only effective mitigation. Additionally, organizations should implement strict input validation and sandboxing for processes handling untrusted CRAM files to limit potential damage from exploitation. Monitoring and logging of applications processing genomic data should be enhanced to detect abnormal crashes or suspicious behavior indicative of exploitation attempts. Network segmentation and access controls should be applied to restrict exposure of vulnerable services. Finally, organizations should keep abreast of threat intelligence updates for any emerging exploits targeting this vulnerability and be prepared to deploy incident response measures if exploitation is detected.