HTSlib is a widely used C library for reading and writing high-throughput sequencing data formats, including CRAM, a compressed format for DNA sequence alignments. CRAM achieves compression by storing differences relative to an external reference sequence rather than full sequences. During decoding, the reference sequence is loaded into a character array, and the function cram_decode_seq() reconstructs the aligned sequence by copying segments from this reference based on a series of 'features' that describe differences. The vulnerability (CWE-125: Out-of-bounds Read) occurs because cram_decode_seq() does not sufficiently validate the feature data indices, allowing it to read memory before the start or beyond the end of the reference buffer. This out-of-bounds read can cause two main issues: leaking arbitrary memory contents to the caller (potentially exposing sensitive program state information) and causing program crashes due to invalid memory access. The flaw affects htslib versions prior to 1.21.1, versions between 1.22 and 1.22.2, and version 1.23. Fixed versions have been released (1.21.1, 1.22.2, and 1.23.1). The vulnerability can be triggered by processing maliciously crafted CRAM files, requiring no authentication or user interaction, and can be exploited remotely if such files are processed. The CVSS 4.0 score is 6.9, reflecting medium severity with network attack vector, low complexity, and no privileges or user interaction required. No known exploits have been reported in the wild, and no workarounds exist other than upgrading to patched versions.

The primary impact of CVE-2026-31966 is the potential leakage of arbitrary memory contents from the vulnerable application processing CRAM files. This could expose sensitive information about the program's internal state or data in memory, which might aid attackers in further exploitation or reconnaissance. Additionally, the out-of-bounds read can cause application crashes, leading to denial of service in bioinformatics pipelines relying on htslib. Since htslib is a foundational library used in many bioinformatics tools and workflows worldwide, this vulnerability could disrupt critical genomic data processing, affecting research, clinical diagnostics, and pharmaceutical development. The lack of authentication or user interaction requirements means that any system processing untrusted CRAM files is at risk. While no remote code execution is indicated, the information disclosure and stability impacts can be significant in sensitive environments handling genomic data.

The only effective mitigation is to upgrade htslib to a fixed version: 1.21.1, 1.22.2, or 1.23.1 or later. Organizations should audit their bioinformatics pipelines and tools to identify usage of vulnerable htslib versions and update accordingly. Additionally, implement strict input validation and filtering to ensure only trusted CRAM files are processed, reducing exposure to crafted malicious files. Employ sandboxing or containerization for bioinformatics tools to limit the impact of potential crashes or memory leaks. Monitor logs and application behavior for crashes or anomalies that could indicate exploitation attempts. Since no workaround exists, patch management and supply chain verification are critical. Finally, maintain awareness of updates from samtools and related projects for any further advisories.