CVE-2026-31964 is a vulnerability in the htslib library, a core component of samtools widely used for reading and writing bioinformatics file formats, including CRAM, which compresses DNA sequence alignment data. The CRAM format allows omission of sequence and quality data in certain records to save space, but these records must still be processed carefully. The vulnerability arises because the CONST, XPACK, and XRLE encodings in htslib did not correctly implement the interface to handle these omitted data records, leading to attempts to write to a NULL pointer during decoding. This NULL pointer dereference results in a program crash, causing a denial-of-service condition. The issue affects htslib versions before 1.21.1, versions from 1.22 up to but not including 1.22.2, and version 1.23.1. The vulnerability requires no authentication or user interaction and can be triggered remotely by processing crafted CRAM files. There are no known exploits in the wild, and no workaround exists other than applying the fixed versions. The CVSS 4.0 base score of 6.9 reflects the medium severity, with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact is limited to availability due to crashes, with no direct confidentiality or integrity compromise. This vulnerability is particularly relevant to organizations processing genomic data using samtools and htslib, including research labs, healthcare institutions, and biotech firms.

The primary impact of CVE-2026-31964 is denial of service caused by application crashes when processing specially crafted CRAM files with omitted sequence or quality data using vulnerable htslib versions. This can disrupt bioinformatics workflows, delay genomic data analysis, and potentially halt critical research or clinical diagnostics relying on samtools. While the vulnerability does not directly expose sensitive data or allow code execution, the availability impact can be significant in environments where continuous processing of large genomic datasets is essential. Organizations relying on automated pipelines for DNA sequence alignment and analysis may experience interruptions, leading to operational delays and increased costs. Additionally, if exploited in a targeted manner, attackers could disrupt services in research or healthcare settings, impacting patient care or scientific progress. The lack of authentication or user interaction requirements increases the risk of remote exploitation by submitting malicious CRAM files to vulnerable systems.

The only effective mitigation is to upgrade htslib to version 1.21.1, 1.22.2, 1.23.1, or later, where the NULL pointer dereference issue has been fixed. Organizations should audit their environments to identify all instances of samtools and htslib and verify the versions in use. Automated deployment tools can facilitate rapid patching across research clusters and production systems. Since no workaround exists, blocking or filtering CRAM files from untrusted sources may reduce exposure but is not a substitute for patching. Implementing input validation and sandboxing bioinformatics processing pipelines can limit the impact of crashes. Monitoring for abnormal application crashes or denial-of-service symptoms during CRAM file processing can help detect exploitation attempts. Finally, maintaining an inventory of bioinformatics tools and dependencies and integrating vulnerability management into research IT operations will improve resilience against similar issues.