6.8

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22187

CVE-2026-22187: Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22187

CVE-2026-22187:

6.8

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ome:pom-bio-formats	maven	<= 8.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a straightforward case of unsafe Java deserialization. The loci.formats.Memoizer class, intended to cache image metadata, reads and deserializes .bfmemo files without any validation. The vulnerability is triggered when an image is processed, and a corresponding malicious .bfmemo file is present. The constructor of the Memoizer class is the entry point for this vulnerability, as it's responsible for loading and deserializing the memoization file. The provided advisories and the proof-of-concept stack trace clearly point to loci.formats.Memoizer.<init> as the vulnerable function. Since no patch has been released, the vulnerable code, which uses java.io.ObjectInputStream in an unsafe manner, persists in the codebase.

Vulnerable functions

loci.formats.Memoizer.Memoizer

components/formats-bsd/src/loci/formats/Memoizer.java

The constructor of the `Memoizer` class is vulnerable to unsafe deserialization. It reads a `.bfmemo` file associated with an image and deserializes its content using `ObjectInputStream` without any security checks. An attacker can craft a malicious `.bfmemo` file to execute arbitrary code when a user opens an image.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22187: Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files

CVE-2026-22187:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2026-22187: Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files

6.8

6.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI