Home

Description

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-18 | Updated 2026-03-19 | Assigner GitHub_M




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-476: NULL Pointer Dereference

Product status

>= 1.17, < 1.21.1
affected

>= 1.22, < 1.22.2
affected

= 1.23
affected

References

www.openwall.com/lists/oss-security/2026/03/18/12

github.com/...mtools/security/advisories/GHSA-x86f-q6fj-cm43

github.com/...ommit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f

cve.org (CVE-2026-31973)

nvd.nist.gov (CVE-2026-31973)

Download JSON