CVE-2026-22187

Name of the Vulnerable Software and Affected Versions Bio-Formats versions up to and including 8.3.0

Description Bio-Formats versions up to and including 8.3.0 are susceptible to unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation or trust enforcement. An attacker supplying a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, potentially leading to denial of service, logic manipulation, or remote code execution if suitable gadget chains are present on the classpath. Java deserialization is a process where a byte stream is converted back into an object. In this case, the lack of validation allows an attacker to control the data being deserialized, potentially executing malicious code.

Recommendations Versions prior to 8.3.1 should be updated.