CVE Tools
Sign in

CVE-2026-31970

HTSlib BGZF index file reader has a heap buffer overflow

Published: Mar 18, 2026Updated: Mar 19, 2026 Sources: CVE List NVDCWE-122
NVD MITRE
8.1CVSSHIGH
EPSS Score
0.5%
Top 64.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. The easiest work-around is to discard any `.gzi` index files from untrusted sources, and use the `bgzip -r` option to recreate them.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:UC:NI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-122CWE-131CWE-190CWE-787CWE-1284

Affected Products

htslibsamtools
Library
OSS Libraries / generic-library
htslibhtslib
Library
OSS Libraries / generic-library
samtoolsoss-projectUSOSS Libraries
htsliboss-projectOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available
Workaround Available

MITRE ATT&CK

2 techniques
Initial Access
Privilege Escalation
View detailed technique mapping

References

https://github.com/samtools/htslib/security/advisories/GHSA-p345-84hx-fq6q
github.com
https://github.com/samtools/htslib/commit/6dd0d7d0e9e7e2e173a28969e624db8bc8bb5828
github.com
http://www.openwall.com/lists/oss-security/2026/03/18/9
openwall.com

Timeline

Published
Mar 18, 2026
Last Updated
Mar 19, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-31970 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows