CVE-2026-22187
Unknown Unknown - Not Provided
Unsafe Java Deserialization in Bio-Formats Memoizer Enables RCE

Publication date: 2026-01-07

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22187
EUVD
EUVD-2026-1165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openmicroscopy bio-formats to 8.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22187 is a vulnerability in Bio-Formats versions up to 8.3.0 where the software performs unsafe Java deserialization of memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes these memo files without any validation, integrity checks, or trust enforcement. An attacker who can supply a crafted or corrupted .bfmemo file alongside an image can cause the software to deserialize untrusted data, which can lead to denial of service, logic manipulation, or potentially remote code execution if suitable gadget chains are present on the classpath. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause denial of service through repeated parsing failures, manipulate the logic of the image processing, or potentially execute remote code on your system if the environment contains suitable gadget chains. This means your system could crash, behave unpredictably, or be compromised by malicious code execution when processing images with associated .bfmemo files. [1, 2]

Detection Guidance

This vulnerability can be detected by observing errors during image processing involving .bfmemo files. Specifically, loading a TIFF image with an associated corrupted or attacker-controlled .bfmemo file triggers multiple ClassNotFoundException errors for various reader classes, indicating failed deserialization attempts. A detection approach involves generating a valid TIFF image and its memo file, then corrupting the memo file (e.g., appending garbage bytes) and loading the image to observe these errors. Commands would involve using the Bio-Formats tool or Java environment to load images and monitor for deserialization errors such as ClassNotFoundException. Exact commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Bio-Formats versions up to and including 8.3.0 that perform unsafe deserialization of .bfmemo files. Do not process images with untrusted or attacker-controlled .bfmemo files. If possible, remove or disable memoization cache files (.bfmemo) to prevent automatic deserialization. Additionally, ensure that the classpath does not contain gadget chains that could be exploited for remote code execution. Applying patches or updates from the vendor when available is recommended. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart