CVE-2026-31966

Name of the Vulnerable Software and Affected Versions HTSlib versions 1.21.1 through 1.23.1

Description HTSlib is a library used for handling bioinformatics file formats, specifically CRAM, a compressed format for DNA sequence alignment data. A flaw exists in how CRAM records are decoded, specifically within the cram decode seq() function. Insufficient validation of feature data series allows for potential leakage of arbitrary data, including program state information, or a program crash due to access of invalid memory locations. This occurs because the function can copy data from outside the bounds of the stored reference sequence into output buffers used for the CRAM record or the SAM MD tag.

Recommendations HTSlib version 1.23.1 includes a fix for this issue. HTSlib version 1.22.2 includes a fix for this issue. HTSlib version 1.21.1 includes a fix for this issue.