CVE-2026-22187
Published: 07 January 2026
Summary
CVE-2026-22187 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Openmicroscopy Bio-Formats. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the unsafe deserialization flaw in Bio-Formats by applying patches to versions up to 8.3.0.
Mandates validation of untrusted inputs like attacker-supplied .bfmemo files prior to deserialization to block exploitation.
Enforces integrity checks on memoization cache files (.bfmemo) to prevent processing tampered or untrusted serialized data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization of attacker-supplied .bfmemo files directly enables client-side RCE when a user opens a paired image file (T1204.002 Malicious File), matching Exploitation for Client Execution (T1203).
NVD Description
Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An…
more
attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
Deeper analysisAI
CVE-2026-22187 is an unsafe Java deserialization vulnerability in Bio-Formats versions up to and including 8.3.0. The issue resides in the loci.formats.Memoizer class, which automatically loads and deserializes memoization cache files (.bfmemo) associated with images during processing, without performing validation, integrity checks, or trust enforcement. This flaw, classified under CWE-502, enables deserialization of untrusted data when a crafted .bfmemo file is present alongside an image file.
An attacker can exploit this vulnerability by supplying a malicious .bfmemo file paired with a legitimate image. Exploitation requires local access (AV:L) with low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as a user opening the image in an affected Bio-Formats application. Successful deserialization may lead to denial of service, logic manipulation, or remote code execution in environments where suitable gadget chains exist on the classpath. The vulnerability has a CVSS v3.1 base score of 7.8 (S:U/C:H/I:H/A:H), reflecting high impacts on confidentiality, integrity, and availability.
Mitigation guidance is available in related advisories, including the Open Microscopy Environment Bio-Formats documentation at https://docs.openmicroscopy.org/bio-formats/, the Full Disclosure mailing list posting at https://seclists.org/fulldisclosure/2026/Jan/7, and VulnCheck's advisory at https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files. Security practitioners should consult these resources for patching instructions and workarounds specific to affected versions.
Details
- CWE(s)