CVE-2026-31969 is a heap-based buffer overflow vulnerability identified in the htslib library, a core component of samtools widely used for reading and writing bioinformatics file formats such as BAM, SAM, and CRAM. The vulnerability specifically affects the decoding of CRAM files compressed using the BYTE_ARRAY_STOP encoding method. In the function cram_byte_array_stop_decode_char(), an off-by-one error in boundary checking leads to a single byte being written just beyond the end of a heap-allocated buffer. This out-of-bounds write can corrupt adjacent heap memory, potentially overwriting critical data structures or control information. An attacker can exploit this by crafting a malicious CRAM file that, when opened by a vulnerable version of samtools or any software using the affected htslib versions, triggers the overflow. Consequences include application crashes (denial of service) or, more critically, arbitrary code execution, which could allow attackers to execute malicious payloads in the context of the user running the software. The vulnerability affects htslib versions prior to 1.21.1, versions between 1.22 and before 1.22.2, and version 1.23. The issue was publicly disclosed on March 18, 2026, with a CVSS 4.0 score of 7.1 (high severity), reflecting its network attack vector, no required privileges, no user interaction except opening the file, and high impact on integrity. No known exploits are currently reported in the wild. There is no workaround; users must upgrade to patched versions 1.21.1, 1.22.2, or 1.23.1 to mitigate the risk.

The vulnerability poses a significant threat to organizations that process genomic data using samtools or other bioinformatics tools relying on htslib. Potential impacts include denial of service through application crashes, data corruption leading to inaccurate scientific or clinical results, and arbitrary code execution that could compromise system integrity and confidentiality. This is particularly critical in healthcare, research institutions, pharmaceutical companies, and genomic data centers where data integrity and confidentiality are paramount. Exploitation could lead to unauthorized access to sensitive genetic information or disruption of critical bioinformatics pipelines. Since the vulnerability can be triggered remotely by opening a crafted file, it increases the attack surface, especially in environments where CRAM files are exchanged or downloaded from untrusted sources. The lack of a workaround means that until patched, systems remain vulnerable. Although no exploits are known in the wild, the potential for weaponization exists given the high impact and ease of triggering the flaw via user interaction.

Organizations should immediately upgrade all instances of htslib and samtools to versions 1.21.1, 1.22.2, 1.23.1, or later to eliminate the vulnerability. Since no workaround exists, patching is the only effective mitigation. Additionally, implement strict validation and filtering of CRAM files from untrusted or external sources before processing to reduce exposure. Employ sandboxing or containerization for bioinformatics tools to limit the impact of potential exploitation. Monitor systems for unusual crashes or behavior indicative of exploitation attempts. Incorporate file integrity checks and digital signatures for CRAM files to ensure authenticity and integrity. Educate users about the risks of opening files from untrusted origins. Finally, maintain up-to-date threat intelligence to detect any emerging exploit activity targeting this vulnerability.