CVE-2026-31970 is a heap-based buffer overflow vulnerability identified in the HTSlib library, a widely used component in bioinformatics software such as samtools for reading and writing genomic data file formats. The vulnerability specifically exists in the function bgzf_index_load_hfile(), which loads GZI index files used to index block-compressed GZIP (BGZF) files. An integer overflow occurs during the calculation of the buffer size needed to store the index, resulting in an under- or zero-sized heap buffer allocation. Subsequently, the function writes sixteen zero bytes into this insufficient buffer and may also attempt to load additional file data into it. This leads to a heap buffer overflow, corrupting heap structures and potentially allowing arbitrary code execution. The vulnerability affects HTSlib versions earlier than 1.21.1, versions 1.22 up to but not including 1.22.2, and version 1.23. The flaw can be triggered by opening a maliciously crafted GZI index file, which is typically an ancillary file accompanying compressed genomic data. Exploitation does not require authentication but does require user interaction to open the crafted file. While no active exploits have been reported, the potential for remote code execution and data corruption makes this a critical concern for bioinformatics environments. The recommended mitigation is to discard untrusted .gzi files and regenerate them using the bgzip tool with the -r option, or upgrade to fixed versions 1.21.1, 1.22.2, or 1.23.1. This vulnerability is tracked with a CVSS 4.0 score of 7.1, reflecting high severity due to network attack vector, no privileges required, and high impact on integrity.

The impact of CVE-2026-31970 is significant for organizations that process genomic or bioinformatics data using HTSlib and samtools. Successful exploitation can lead to program crashes, denial of service, or arbitrary code execution within the context of the vulnerable application. This could allow attackers to manipulate sensitive genomic data, disrupt research workflows, or pivot to further compromise systems in research or healthcare environments. Given the specialized use of HTSlib in bioinformatics, the scope is somewhat limited to organizations in genomics research, clinical diagnostics, pharmaceutical companies, and bioinformatics service providers. However, the sensitive nature of genomic data and the critical role of these tools in healthcare and research amplify the potential damage. Additionally, since the vulnerability can be triggered by opening a crafted file, supply chain risks exist if untrusted or maliciously altered index files are introduced. The lack of known exploits in the wild reduces immediate risk, but the ease of exploitation and high impact warrant urgent remediation.

To mitigate CVE-2026-31970, organizations should: 1) Immediately upgrade HTSlib and samtools to versions 1.21.1, 1.22.2, 1.23.1, or later where the vulnerability is patched. 2) Discard any .gzi index files obtained from untrusted or external sources to prevent loading maliciously crafted indexes. 3) Regenerate .gzi files using the bgzip tool with the -r option to ensure index integrity before use. 4) Implement strict file validation and integrity checks on bioinformatics input files, especially those received from third parties or external collaborators. 5) Restrict user permissions and sandbox bioinformatics tools to limit the impact of potential exploitation. 6) Monitor systems for unusual crashes or behavior during file processing that could indicate attempted exploitation. 7) Educate bioinformatics personnel about the risks of opening untrusted genomic data files and enforce secure data handling policies. These steps go beyond generic advice by focusing on the specific file types and workflows involved in this vulnerability.