CVE-2026-22187 – Bio-Formats up to version 8.3.0 has unsafe Java... (How to Fix)

Q: What is the severity of CVE-2026-22187?

CVE-2026-22187 has a CVSS score of 7.8 (HIGH). Bio-Formats up to version 8.3.0 has unsafe Java deserialization in the Memoizer class, allowing attackers to execute arbitrary code by providing malicious .bfmemo cache files alongside images. This affects all users processing images with Bio-Formats, particularly in scientific and medical imaging workflows. The vulnerability requires an attacker to supply a crafted file that gets loaded during image processing.

📋 TL;DR

Bio-Formats up to version 8.3.0 has unsafe Java deserialization in the Memoizer class, allowing attackers to execute arbitrary code by providing malicious .bfmemo cache files alongside images. This affects all users processing images with Bio-Formats, particularly in scientific and medical imaging workflows. The vulnerability requires an attacker to supply a crafted file that gets loaded during image processing.

💻 Affected Systems

Products:

Bio-Formats

Versions: All versions up to and including 8.3.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is active when processing images with memoization enabled (default behavior).

📦 What is this software?

Bio Formats by Openmicroscopy

View all CVEs affecting Bio Formats →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Bio-Formats process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through application crashes or logic manipulation in image processing pipelines.

🟢

If Mitigated

Limited impact if file uploads are restricted and memoization is disabled.

🌐 Internet-Facing: MEDIUM - Requires file upload capability or attacker-controlled file placement.

🏢 Internal Only: MEDIUM - Internal users could exploit if they can place files in processing directories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting a malicious .bfmemo file and getting it loaded by the application, which depends on specific gadget chains in the classpath.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1 or later

Vendor Advisory: https://docs.openmicroscopy.org/bio-formats/

Restart Required: Yes

Instructions:

1. Upgrade Bio-Formats to version 8.3.1 or later. 2. Restart any applications using Bio-Formats. 3. Clear existing .bfmemo cache files.

🔧 Temporary Workarounds

Disable memoization

all

Prevent loading of .bfmemo files by disabling the memoization feature

Set system property: -Dloci.formats.Memoizer.enabled=false

Restrict file permissions

all

Prevent unauthorized users from writing .bfmemo files to processing directories

chmod 644 *.bfmemo (Linux)
icacls *.bfmemo /deny Everyone:(W) (Windows)

🧯 If You Can't Patch

Disable memoization feature completely via system property
Implement strict file upload validation and sanitization for all image processing inputs

🔍 How to Verify

Check if Vulnerable:

Check Bio-Formats version: if ≤8.3.0 and memoization is enabled, system is vulnerable.

Check Version:

java -cp bioformats_package.jar loci.formats.FormatTools --version

Verify Fix Applied:

Confirm Bio-Formats version is ≥8.3.1 and memoization uses safe serialization.

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors
Unexpected ClassNotFoundException during image processing
Memoizer class loading failures

Network Indicators:

Unusual file uploads with .bfmemo extensions
Outbound connections from image processing services

SIEM Query:

source="*bioformats*" AND (event="deserialization" OR error="InvalidClassException")

📊 Metadata

CVE ID: CVE-2026-22187

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.14% exploit probability (33.5th percentile)

Published: January 7, 2026

Last Updated: February 26, 2026

🔗 References

https://docs.openmicroscopy.org/bio-formats/ Release Notes
https://seclists.org/fulldisclosure/2026/Jan/7 Mailing List
https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22187, you might also want to check these: