CVE-2026-31972
March 18, 2026
SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The "mpileup" command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue.
Affected Packages
https://github.com/samtools/samtools.git (GITHUB):
Affected version(s) >=0.1.1 <1.21.1Fix Suggestion:
Update to version 1.21.1https://github.com/samtools/samtools.git (GITHUB):
Affected version(s) =0.1.1 <1.23Fix Suggestion:
Update to version 1.23https://github.com/samtools/samtools.git (GITHUB):
Affected version(s) =1.22 <1.22.1Fix Suggestion:
Update to version 1.22.1Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Use After Free
EPSS
Base Score:
0.02
