HTSlib Out-of-Bounds Read Vulnerability in CRAM Reader

A vulnerability allowing out-of-bounds reads has been identified in HTSlib, a library for handling bioinformatics file formats. This issue arises in the CRAM decoding process, specifically within the 'cram_decode_slice()' function. The vulnerability is caused by improper validation of reference ID fields, which allows invalid data to be read before the error is detected. While this bug could potentially lead to a program crash or the leakage of two values to the caller, the error handling in place may complicate exploitation. Affected versions include HTSlib versions 1.21 and prior, as well as 1.22, 1.22.1, and 1.23. The vulnerability has been patched in versions 1.21.1, 1.22.2, and 1.23.1.

Impact

Exploitation of this vulnerability can cause out-of-bounds reads, leading to memory access violations. This could result in a program crash or the unintended leakage of memory contents to the caller.

Remediation

Users can upgrade to HTSlib versions 1.21.1, 1.22.2, or 1.23.1 to address this vulnerability.