Description ----------- SAMtools is a program for reading, manipulating and writing bioinformatics file formats. In the "cram-size" command, used to write information about how well CRAM files are compressed, a check to see if the cram_decode_compression_header() was missing. If the function returned an error, this could lead to a NULL pointer dereference. Impact ------ Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Severity -------- Moderate CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N Patches ------- Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. Workarounds ----------- There is no workaround for this issue. References ---------- https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43 https://www.cve.org/CVERecord?id=CVE-2026-31973 -- The SAMtools team https://www.htslib.org/ https://www.sanger.ac.uk/ ---------------------------------------------------------------------- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is Wellcome Sanger Institute, Wellcome Genome Campus, Hinxton, CB10 1SA.
