CVE-2026-31965 is a medium severity vulnerability classified under CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index) affecting the htslib library, a core component of samtools used for reading and writing bioinformatics file formats, specifically CRAM files which store compressed DNA sequence alignment data. The vulnerability arises in the cram_decode_slice() function, where the validation of the reference ID field occurs too late during the parsing of CRAM records. This delayed validation allows two out-of-bounds memory reads before the function detects the invalid reference ID and returns an error. These out-of-bounds reads can leak two values from memory to the caller, potentially exposing sensitive data. Additionally, the invalid memory access may cause the program to crash, resulting in denial of service. The vulnerability affects htslib versions prior to 1.21.1, versions between 1.22 and 1.22.2, and version 1.23. Fixed versions 1.21.1, 1.22.2, and 1.23.1 address this issue. Exploitation requires no authentication or user interaction and can be triggered remotely by processing maliciously crafted CRAM files. Although no known exploits have been reported in the wild, the flaw poses risks to confidentiality and availability in environments processing genomic data. No workarounds exist, making patching the only effective mitigation.

The primary impact of CVE-2026-31965 is the potential leakage of sensitive memory contents due to out-of-bounds reads, which could expose confidential genomic data or other sensitive information residing in memory. Additionally, the vulnerability can cause application crashes, leading to denial of service in bioinformatics pipelines that rely on htslib for processing CRAM files. Organizations involved in genomic research, clinical diagnostics, or bioinformatics data processing may face data confidentiality risks and operational disruptions. Since exploitation requires no authentication and can be triggered remotely by supplying crafted CRAM files, attackers could target publicly accessible systems or shared computational resources. Although the vulnerability does not allow code execution or privilege escalation, the confidentiality and availability impacts are significant in sensitive environments handling genomic data. The lack of workarounds increases the urgency for patching to maintain data integrity and service continuity.

To mitigate CVE-2026-31965, organizations should immediately update htslib to versions 1.21.1, 1.22.2, 1.23.1, or later, which contain the necessary fixes. Since no workarounds exist, patching is the only reliable defense. Additionally, organizations should audit their bioinformatics pipelines to identify all instances where htslib or samtools are used to ensure comprehensive patch deployment. Implement strict input validation and filtering on CRAM files received from untrusted sources to reduce exposure to crafted malicious files. Employ runtime memory protection mechanisms such as AddressSanitizer or similar tools during development and testing to detect out-of-bounds accesses early. Monitor application logs and system behavior for crashes or anomalies that could indicate exploitation attempts. Finally, maintain an inventory of bioinformatics tools and dependencies to facilitate rapid response to future vulnerabilities.