The vulnerability CVE-2026-31967 resides in the htslib library, a widely used component for reading and writing bioinformatics file formats such as CRAM, BAM, and SAM. CRAM is a compressed format for storing DNA sequence alignment data. The issue is located in the cram_decode_slice() function, which is responsible for decoding slices of CRAM records. Specifically, the mate reference id field within the CRAM data is not validated for correctness or bounds. When this invalid mate reference id is later used to look up the corresponding reference name during conversion to the SAM format, it can cause an out-of-bounds read on an array. If the out-of-bounds read returns a value that is interpreted as a valid pointer, the program may treat it as a string and attempt to write it into the SAM record output. This behavior can lead to two primary impacts: leakage of memory contents that reveal program state (confidentiality breach) and program crashes due to invalid memory access (availability impact). The vulnerability affects htslib versions prior to 1.21.1, versions between 1.22 and 1.22.2, and version 1.23. The CVSS 4.0 base score is 6.9, indicating medium severity, with an attack vector of network, no privileges or user interaction required, and limited confidentiality and availability impact. No known exploits have been reported in the wild, but the vulnerability poses a risk to bioinformatics pipelines that process CRAM files, especially in research, clinical, and pharmaceutical environments. There is no workaround; only upgrading to fixed versions 1.21.1, 1.22.2, or later resolves the issue.

This vulnerability can lead to unauthorized disclosure of sensitive information from program memory, potentially exposing parts of the genomic data processing state or other memory contents. Such leakage could aid attackers in further exploitation or data inference. Additionally, the out-of-bounds read may cause application crashes, resulting in denial of service for bioinformatics workflows. Organizations relying on automated genomic data processing pipelines using vulnerable htslib versions risk disruption of critical research or clinical diagnostics. While the vulnerability does not allow code execution or privilege escalation, the confidentiality and availability impacts can be significant in environments handling sensitive genetic information. The lack of required authentication or user interaction means remote attackers can exploit this by supplying maliciously crafted CRAM files, increasing the threat surface. The medium severity score reflects these considerations. The absence of known exploits suggests limited current exploitation but does not preclude future attacks, especially as genomic data processing becomes more widespread.

The primary and only effective mitigation is to upgrade htslib to a fixed version: 1.21.1, 1.22.2, 1.23.1, or later. Organizations should audit their bioinformatics toolchains and pipelines to identify usage of vulnerable htslib versions and plan immediate updates. Since no workaround exists, blocking or filtering untrusted CRAM files before processing can reduce risk temporarily. Implementing input validation or sandboxing the processing environment may limit impact from malformed files. Monitoring logs for crashes or unusual behavior in samtools or related tools can help detect exploitation attempts. Security teams should coordinate with bioinformatics teams to ensure timely patching and validate that all dependent tools are rebuilt against updated htslib versions. Additionally, organizations should review access controls around genomic data processing systems to limit exposure to untrusted inputs. Regularly updating threat intelligence feeds for any emerging exploits related to this CVE is recommended.