CVE-2026-31971 is a stack-based buffer overflow vulnerability identified in the htslib library, a widely used component in bioinformatics for reading and writing genomic data formats such as CRAM. The vulnerability arises specifically in the function cram_byte_array_len_decode(), which handles decoding of data encoded using the BYTE_ARRAY_LEN method. This function fails to properly validate that the amount of data being unpacked matches the size of the destination buffer. As a result, an attacker can craft a malicious CRAM file that causes the function to write beyond the bounds of the allocated buffer, leading to either a heap or stack overflow depending on the data series being processed. This memory corruption can cause the program to crash or, more critically, allow an attacker to overwrite control data structures, potentially hijacking the program’s control flow and enabling arbitrary code execution. The vulnerability affects multiple versions of htslib: all versions prior to 1.21.1, versions from 1.22 up to but not including 1.22.2, and version 1.23.1. The issue was publicly disclosed on March 18, 2026, with no known exploits in the wild at the time of publication. The CVSS 4.0 base score is 7.1, reflecting a high severity due to network attack vector, no privileges required, no user interaction except opening a malicious file, and high impact on integrity and availability. This vulnerability is critical for environments that process genomic data, including research institutions, healthcare providers, and biotech companies using samtools or other software dependent on htslib. Since no workaround exists, upgrading to fixed versions (1.21.1, 1.22.2, or later) is essential to mitigate risk.

The impact of CVE-2026-31971 is significant for organizations handling genomic data, particularly those using samtools or other bioinformatics tools relying on htslib. Exploitation can lead to denial of service through program crashes or, more severely, arbitrary code execution, which may allow attackers to execute malicious payloads on affected systems. This could result in unauthorized access to sensitive genomic data, manipulation or corruption of research data, disruption of critical bioinformatics workflows, and potential compromise of broader IT infrastructure if the exploited system is part of a larger network. Given the specialized nature of the software, the threat primarily targets research labs, healthcare organizations, pharmaceutical companies, and government agencies involved in genomics. The ability to execute code remotely without authentication but requiring user interaction (opening a crafted file) increases the risk in environments where untrusted files might be processed. The lack of a workaround means that vulnerable systems remain exposed until patched, increasing the window of opportunity for attackers once exploit techniques become publicly available.

To mitigate CVE-2026-31971, organizations should immediately upgrade all instances of htslib to versions 1.21.1, 1.22.2, 1.23.1, or later, where the vulnerability has been fixed. Since no workaround exists, patching is the primary defense. Additionally, implement strict file validation and scanning policies to detect and block malicious or malformed CRAM files before processing. Restrict access to bioinformatics processing environments to trusted users and networks to reduce the risk of opening crafted files. Employ application whitelisting and sandboxing techniques to limit the impact of potential exploitation. Monitoring and logging of bioinformatics tool usage can help detect anomalous behavior indicative of exploitation attempts. Educate users about the risks of opening untrusted genomic data files. For environments where immediate patching is not feasible, consider isolating vulnerable systems and limiting network exposure to reduce attack surface. Finally, maintain up-to-date backups of critical data to enable recovery in case of compromise.