CVE-2026-22187 Overview
Bio-Formats versions up to and including 8.3.0 contain an insecure deserialization vulnerability in the loci.formats.Memoizer class. The library performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing operations. When Bio-Formats loads an image, it automatically loads and deserializes associated memo files without proper validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, potentially resulting in denial of service, logic manipulation, or remote code execution in environments where suitable gadget chains exist on the classpath.
Critical Impact
Attackers can achieve denial of service, application logic manipulation, or potentially remote code execution by supplying malicious .bfmemo cache files alongside images processed by Bio-Formats.
Affected Products
- Bio-Formats versions up to and including 8.3.0
- Applications and systems utilizing Bio-Formats for image processing
- Scientific imaging workflows that process untrusted image files
Discovery Timeline
- 2026-01-07 - CVE-2026-22187 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22187
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-known class of security issues in Java applications. The Bio-Formats library implements a memoization caching system designed to improve performance when repeatedly processing the same image files. When an image is loaded, the loci.formats.Memoizer class checks for a corresponding .bfmemo file and, if found, deserializes its contents using Java's native object serialization mechanism.
The fundamental security flaw lies in the absence of validation or integrity verification before deserializing these cache files. Java's ObjectInputStream will instantiate arbitrary classes during deserialization, and if an attacker can control the serialized data, they can leverage existing classes on the application's classpath (known as "gadget chains") to execute arbitrary code.
The attack requires local access, meaning the attacker must be able to place a malicious .bfmemo file in a location where Bio-Formats will discover it when processing an associated image. This could occur through file uploads, shared network drives, or other file delivery mechanisms in environments processing untrusted image data.
Root Cause
The root cause is the automatic deserialization of .bfmemo cache files without any form of trust verification. The loci.formats.Memoizer class blindly trusts cache files found alongside images, using Java's native serialization to reconstruct objects from potentially attacker-controlled data. This design assumes that cache files originate from legitimate prior processing operations, an assumption that fails in adversarial scenarios where attackers can supply their own files.
Attack Vector
The attack vector requires local file system access to position a malicious .bfmemo file where the application will discover and process it. An attacker would:
- Create a malicious serialized Java object payload containing a gadget chain appropriate for the target environment
- Save this payload as a .bfmemo file with a filename corresponding to a target image
- Deliver both the image and the malicious memo file to a system running Bio-Formats
- When the application processes the image, the Memoizer class automatically loads and deserializes the malicious cache file
- Depending on available gadget chains, this can result in denial of service, data manipulation, or code execution
The vulnerability is particularly concerning in scientific and research environments where Bio-Formats is commonly deployed to process large datasets of microscopy images from various sources. For additional technical details, see the Full Disclosure posting and VulnCheck Security Advisory.
Detection Methods for CVE-2026-22187
Indicators of Compromise
- Presence of unexpected .bfmemo files alongside image files, especially from external sources
- .bfmemo files with unusual sizes or creation timestamps inconsistent with legitimate caching operations
- Java application crashes or unexpected behavior when processing images with associated memo files
- Evidence of deserialization gadget chain execution in application logs or system monitoring
Detection Strategies
- Monitor file system activity for creation of .bfmemo files in image processing directories
- Implement file integrity monitoring for directories where Bio-Formats processes images
- Deploy Java deserialization attack detection tools that can identify common gadget chain patterns
- Audit application classpath for libraries containing known deserialization gadget chains (e.g., Commons Collections, Spring, etc.)
Monitoring Recommendations
- Enable verbose logging for Bio-Formats operations to track memo file loading behavior
- Implement application-level monitoring to detect abnormal memory usage or CPU spikes during image processing
- Configure security monitoring tools to alert on unexpected child process creation from Java applications
- Review network connections initiated by image processing applications for signs of post-exploitation activity
How to Mitigate CVE-2026-22187
Immediate Actions Required
- Upgrade Bio-Formats to a patched version when available from the Open Microscopy Environment project
- Disable memoization caching functionality if not operationally required
- Implement strict file validation to reject or quarantine .bfmemo files from untrusted sources
- Isolate image processing workflows from critical systems and sensitive data
- Review and minimize the application classpath to reduce available gadget chains
Patch Information
As of the last NVD update on 2026-01-08, organizations should monitor the Open Microscopy Documentation for official patch releases and upgrade guidance. The VulnCheck Security Advisory provides additional context on the vulnerability and recommended mitigations.
Workarounds
- Configure file processing pipelines to strip or reject .bfmemo files from incoming image datasets before processing
- Implement Java Security Manager policies to restrict deserialization operations (note: Security Manager is deprecated in newer Java versions)
- Deploy Java agent-based deserialization filters to block dangerous gadget chain classes
- Process untrusted images in sandboxed or containerized environments with limited capabilities
- Use file system permissions to prevent creation of memo files in image directories
# Configuration example
# Remove existing .bfmemo files and prevent new ones in image directories
find /path/to/images -name "*.bfmemo" -type f -delete
# Set directory permissions to prevent memo file creation (Unix/Linux)
# Note: This may impact Bio-Formats caching functionality
chmod 555 /path/to/images
# Alternative: Use inotifywait to monitor and remove .bfmemo files
inotifywait -m -e create /path/to/images | while read path action file; do
if [[ "$file" == *.bfmemo ]]; then
rm -f "${path}${file}"
logger "Removed suspicious .bfmemo file: ${path}${file}"
fi
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
