SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
samtools samtools affected
Version Status Constraints
>= 1.17, < 1.21.1 affected
>= 1.22, < 1.22.2 affected
= 1.23 affected

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Samtools Subscribe
Samtools Subscribe

Project Subscriptions

Vendors Products
Samtools Subscribe
Samtools Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://www.openwall.com/lists/oss-security/2026/03/18/12 cve-icon
https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f cve-icon cve-icon
https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43 cve-icon cve-icon
History

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samtools
Samtools samtools
Vendors & Products Samtools
Samtools samtools

Thu, 19 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.
Title NULL pointer dereference in samtools cram-size
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T23:08:20.721Z

Reserved: 2026-03-10T15:40:10.486Z

Link: CVE-2026-31973

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-18T21:16:26.250

Modified: 2026-03-19T00:16:17.887

Link: CVE-2026-31973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-19T08:55:33Z

Weaknesses