Daviesrob

**Name of the Vulnerable Software and Affected Versions** HTSlib versions prior to 1.23.1 **Description** HTSlib is a library used for reading and writing bioinformatics file formats. A heap buffer overflow exists in the `cram decode seq()` function when decoding CRAM files. This occurs because the function incorrectly handles records that omit DNA sequence and quality values, leading to a read and write operation beyond the bounds of a heap allocation. Exploitation of this issue, through a crafted CRAM file, could lead to program crashes, data corruption, or potentially arbitrary code execution. **Recommendations** Update to HTSlib version 1.23.1 or later.

**Name of the Vulnerable Software and Affected Versions** HTSlib versions prior to 1.23.1 HTSlib version 1.22.2 HTSlib version 1.21.1 **Description** HTSlib is a library used for reading and writing bioinformatics file formats. The issue relates to the CRAM decoder, which has a heap buffer overflow due to improper validation of input data. Specifically, an out-by-one error in a test for CRAM features beyond the extent of the CRAM record sequence can lead to an invalid write of one attacker-controlled byte beyond the end of a heap buffer. Exploitation of this issue could lead to program crashes or overwriting of data and heap structures, potentially resulting in arbitrary code execution. **Recommendations** Update HTSlib to version 1.23.1 or later. For HTSlib version 1.22.2, update to version 1.23.1 or later. For HTSlib version 1.21.1, update to version 1.23.1 or later.

**Name of the Vulnerable Software and Affected Versions** HTSlib versions prior to 1.23.1 HTSlib version 1.22.2 HTSlib version 1.21.1 **Description** HTSlib is a library used for reading and writing bioinformatics file formats. A flaw exists in the handling of `VARINT` and `CONST` encodings within the CRAM compressed format. Insufficient validation of the encoding context can lead to heap or stack buffer overflows, potentially allowing for arbitrary code execution. Specifically, up to eight bytes may be written beyond allocated memory regions, potentially overwriting adjacent variables or altering program control flow. Exploitation requires a specially crafted file. **Recommendations** Update HTSlib to version 1.23.1 or later. Update HTSlib to version 1.22.2. Update HTSlib to version 1.21.1.