CVE-2026-31973

UNKNOWN 0.0

NULL pointer dereference in samtools cram-size

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.

CWE	CWE-476
Vendor	samtools
Product	samtools
Published	Mar 18, 2026
Last Updated	Mar 19, 2026

Stay Ahead of the Next One

Get instant alerts for samtools samtools

Be the first to know when new unknown vulnerabilities affecting samtools samtools are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

samtools / samtools

>= 1.17, < 1.21.1 >= 1.22, < 1.22.2 = 1.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43 github.com: https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f openwall.com: http://www.openwall.com/lists/oss-security/2026/03/18/12