CVE-2026-31965

Name of the Vulnerable Software and Affected Versions HTSlib versions 1.21.1 through 1.23.1

Description HTSlib is a library used for reading and writing bioinformatics file formats, specifically CRAM, a compressed format for DNA sequence alignment data. A flaw exists in the cram decode slice() function during CRAM record processing, where validation of the reference ID field occurs too late. This allows for two out-of-bounds read operations to potentially occur before the invalid data is detected. While the function reports an error, the leakage of two values to the caller may present an exploitation opportunity, or the program could crash due to invalid memory access.

Recommendations HTSlib version 1.23.1 includes a fix for this issue. HTSlib version 1.22.2 includes a fix for this issue. HTSlib version 1.21.1 includes a fix for this issue.