The vulnerability CVE-2026-31963 affects the htslib library, a core component of samtools widely used for reading and writing bioinformatics file formats such as CRAM, which compresses DNA sequence alignment data by referencing external sequences and encoding differences as features. The issue stems from an out-of-bounds write caused by an off-by-one error during the decoding of CRAM features that extend beyond the actual sequence length. This results in a heap-based buffer overflow where one attacker-controlled byte is written beyond the allocated heap buffer. Such memory corruption can lead to program instability, crashes, or more critically, arbitrary code execution if exploited successfully. The vulnerability requires no privileges or user interaction, making it remotely exploitable simply by opening a maliciously crafted CRAM file. The affected versions are those prior to 1.21.1, between 1.22 and 1.22.2, and version 1.23.1. The developers have released patches in versions 1.21.1, 1.22.2, and 1.23.1 to address this flaw. No alternative mitigations or workarounds are available, emphasizing the need for timely patching. The CVSS 4.0 base score is 8.8, reflecting its high severity due to ease of exploitation and potential impact on confidentiality and integrity of systems processing genomic data.

This vulnerability can have severe consequences for organizations that utilize samtools and htslib for genomic data processing, including research institutions, healthcare providers, pharmaceutical companies, and biotech firms. Exploitation could lead to denial of service through application crashes or, more dangerously, arbitrary code execution, potentially allowing attackers to execute malicious payloads within the context of the vulnerable application. This could compromise sensitive genomic data confidentiality and integrity, disrupt critical bioinformatics workflows, and potentially serve as a foothold for further network intrusion. Given the specialized nature of the software, the impact is concentrated in sectors handling DNA sequencing data but can affect any organization relying on vulnerable versions. The lack of required authentication or user interaction increases the risk, especially in automated pipelines processing untrusted data. The absence of workarounds further elevates the urgency to apply patches promptly to avoid exploitation.

Organizations should immediately identify and inventory all instances of samtools and htslib in their environments, especially those processing CRAM files. They must upgrade to fixed versions 1.21.1, 1.22.2, or 1.23.1 or later as soon as possible. For environments where immediate patching is challenging, consider isolating systems that process external or untrusted CRAM files to limit exposure. Implement strict input validation and scanning of bioinformatics data files before processing to detect potentially malformed or malicious CRAM files. Employ runtime protections such as heap memory protection mechanisms (e.g., ASLR, heap canaries) and sandboxing of bioinformatics tools to reduce the impact of exploitation. Monitor systems for unusual crashes or behavior indicative of exploitation attempts. Additionally, maintain up-to-date threat intelligence feeds to detect any emerging exploit activity targeting this vulnerability. Finally, establish secure data handling policies and restrict access to bioinformatics processing environments to trusted personnel and systems.