oss-sec mailing list archives
CVE-2026-31970: HTSlib <= 1.23 heap buffer overflow in the BGZF index file reader
From: Robert Davies <rmd () sanger ac uk>
Date: Wed, 18 Mar 2026 21:08:58 +0000 (GMT)
Description ----------- HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP (BGZF) files. In the GZI loading function, bgzf_index_load_hfile(), it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to store the index. Sixteen zero bytes would then be written to this buffer, and, depending on the result of the overflow the rest of the file may also be loaded into the buffer as well. If the function did attempt to load the data, it would eventually fail due to not reading the expected number of records, and then try to free the overflowed heap buffer. Impact ------ Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution. Severity -------- High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Patches ------- Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. Workarounds ----------- The easiest work-around is to discard any .gzi index files from untrusted sources, and use the bgzip -r option to recreate them. Credits ------- Thanks to Harrison Green for reporting this issue. References ---------- https://github.com/samtools/htslib/security/advisories/GHSA-p345-84hx-fq6q https://www.cve.org/CVERecord?id=CVE-2026-31970 -- The SAMtools team https://www.htslib.org/ https://www.sanger.ac.uk/ ---------------------------------------------------------------------- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is Wellcome Sanger Institute, Wellcome Genome Campus, Hinxton, CB10 1SA.
Current thread:
- CVE-2026-31970: HTSlib <= 1.23 heap buffer overflow in the BGZF index file reader Robert Davies (Mar 18)