cvedb.io
CVE-2026-31966
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-03-18T20:16:21.060 · Last modified 2026-06-17T10:34:51.403

Summary

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it stores a location in an external reference sequence along with a list of differences to the reference at that location as a sequence of "features". When decoding CRAM records, the reference data is stored in a char array, and parts matching the alignment record sequence are copied over as necessary. Due to insufficient validation of the feature data series, it was possible to make the `cram_decode_seq()` function copy data from either before the start, or after the end of the stored reference eithe

Affected products

htslib — htslib

Does this affect you?

Add your gear to cvedb and we'll alert you only when htslib ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.