The vulnerability identified as CVE-2026-31965 affects the htslib library, a core component of samtools widely used in bioinformatics for reading and writing genomic data formats such as CRAM. The issue lies in the cram_decode_slice() function, which processes CRAM records. Specifically, the validation of the reference ID field is delayed until after two out-of-bounds memory reads have already occurred. These out-of-bounds reads can leak two unintended values to the caller, potentially exposing sensitive data from memory. Additionally, attempts to access invalid memory may cause the application to crash, resulting in denial of service. The vulnerability does not require any privileges or user interaction to exploit, as it can be triggered by processing a maliciously crafted CRAM file. However, the function reports an error upon detecting invalid data, which may limit the exploitability of the leaked information. The affected versions include all htslib releases prior to 1.21.1, versions between 1.22 and before 1.22.2, and version 1.23. The issue has been addressed in versions 1.21.1, 1.22.2, and 1.23.1. No known exploits have been reported in the wild to date. The CVSS 4.0 base score of 6.9 reflects a medium severity, with network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality and availability. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index).

This vulnerability can impact organizations that rely on samtools and htslib for genomic data processing, including research institutions, healthcare providers, pharmaceutical companies, and bioinformatics service providers. The out-of-bounds read can lead to leakage of sensitive genomic data or other memory contents, potentially exposing confidential patient or research information. Additionally, the possibility of application crashes can disrupt critical bioinformatics workflows, causing denial of service and operational delays. Since the vulnerability can be triggered remotely by processing crafted CRAM files, attackers could exploit publicly accessible systems that accept or analyze genomic data files. The impact is particularly significant for organizations handling large volumes of genomic data or those integrating htslib into automated pipelines. Although no active exploits are known, the medium severity rating and ease of exploitation without authentication warrant prompt remediation to prevent data breaches or service interruptions.

The primary mitigation is to upgrade htslib to a fixed version: 1.21.1, 1.22.2, or 1.23.1 or later. Organizations should audit their environments to identify all instances of samtools and htslib and verify the versions in use. For environments where immediate upgrade is not feasible, implement strict input validation and filtering to block untrusted or malformed CRAM files before processing. Employ runtime protections such as memory safety tools (e.g., AddressSanitizer) during development and testing to detect similar issues early. Monitor logs and application behavior for crashes or anomalies that may indicate exploitation attempts. Additionally, restrict access to systems processing genomic data to trusted users and networks to reduce exposure. Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service caused by exploitation.