Home

Description

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

PUBLISHED Reserved 2026-01-06 | Published 2026-01-07 | Updated 2026-01-07 | Assigner VulnCheck




MEDIUM: 6.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

Any version
affected

Credits

Ron Edgerson finder

References

seclists.org/fulldisclosure/2026/Jan/7 technical-description exploit

docs.openmicroscopy.org/bio-formats/ product release-notes

www.vulncheck.com/...-deserialization-via-bfmemo-cache-files third-party-advisory

cve.org (CVE-2026-22187)

nvd.nist.gov (CVE-2026-22187)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.