{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.17"
              },
              {
                "fixed": "1.21.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "4959cc981ad9725d3c6007687ca372ffcdaa3c80"
            },
            {
              "fixed": "063c0ed98dcfe9d64238098c693713cd915d7532"
            }
          ],
          "repo": "https://github.com/samtools/samtools",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.22"
              },
              {
                "fixed": "1.22.2"
              }
            ]
          },
          "events": [
            {
              "introduced": "da72567097265a61650a081c9f68d4a9f45bd105"
            },
            {
              "fixed": "b74903f69aa69a8435a2b5d66b2a6ca67f381a8e"
            }
          ],
          "repo": "https://github.com/samtools/samtools",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "= 1.23"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "32e616e651459318696b0810248060400618374c"
            }
          ],
          "repo": "https://github.com/samtools/samtools",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-x86f-q6fj-cm43"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31973.json"
  },
  "details": "SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are compressed, a check to see if the `cram_decode_compression_header()` was missing. If the function returned an error, this could lead to a NULL pointer dereference. Exploiting this bug causes a NULL pointer dereference. Typically this will cause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is no workaround for this issue.",
  "id": "CVE-2026-31973",
  "modified": "2026-04-01T23:08:28.566193143Z",
  "published": "2026-03-18T20:34:00.846Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/18/12"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31973.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/samtools/samtools/security/advisories/GHSA-x86f-q6fj-cm43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31973"
    },
    {
      "type": "FIX",
      "url": "https://github.com/samtools/samtools/commit/06fc2a219b3d7c94d3f412c09f6d1efd51199f2f"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NULL pointer dereference in samtools cram-size"
}