CVE-2026-31972 | SAMtools up to 1.21.0 use after free (GHSA-72c8-4jf3-f27p)

VDB-351627 · CVE-2026-31972 · GHSA-72C8-4JF3-F27P SAMTOOLS UP TO 1.21.0 USE AFTER FREE HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.0 $0-$5k 1.30+ Summaryinfo A vulnerability has been found in SAMtools up to 1.21.0 and classified as critical. Affected by this issue is some unknown functionality. Performing a manipulation results in use after free. This vulnerability is reported as CVE-2026-31972. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded. Detailsinfo A vulnerability was found in SAMtools up to 1.21.0. It has been classified as critical. This affects an unknown part. The manipulation with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is: SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position (obtained from a separate file) and all of the DNA bases that aligned to that position. As the output is ordered by position, reference data that is no longer needed is discarded once it has been printed out. Under certain conditions the data could be discarded too early, leading to an attempt to read from a pointer to freed memory. This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory. This bug is fixed in versions 1.21.1 and 1.22. There is no workaround for this issue. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-31972 since 03/10/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. Upgrading to version 1.21.1 eliminates this vulnerability. Applying the patch 3036eb9af945fcef359427a2d359855553da4adf is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Name SAMtools Version 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21.0 License open-source Website Product: https://github.com/samtools/samtools/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 7.3 VulDB Meta Temp Score: 7.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Use after free CWE: CWE-416 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: SAMtools 1.21.1 Patch: 3036eb9af945fcef359427a2d359855553da4adf Timelineinfo 03/10/2026 CVE reserved 03/18/2026 +8 days Advisory disclosed 03/18/2026 +0 days VulDB entry created 03/19/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-72c8-4jf3-f27p Status: Confirmed CVE: CVE-2026-31972 (🔒) GCVE (CVE): GCVE-0-2026-31972 GCVE (VulDB): GCVE-100-351627 Entryinfo Created: 03/19/2026 00:02 Changes: 03/19/2026 00:02 (68) Complete: 🔍 Cache ID: 99:18C:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸