CVE-2026-22187

HIGH

openmicroscopy/bio-formats <= 8.3.0 - Deserialization of Untrusted Data via Memoization Cache Files

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-22187. PoCs published by XiaomingX, George0Papasotiriou.

AI-analyzed exploit summary The repository contains a functional PoC demonstrating unsafe Java deserialization in Bio-Formats via .bfmemo files. The code shows the deserialization path is executed without malicious payloads, confirming the vulnerability.

Description

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-22187

View Code ZIP pw:eip

The repository contains a functional PoC demonstrating unsafe Java deserialization in Bio-Formats via .bfmemo files. The code shows the deserialization path is executed without malicious payloads, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Bio-Formats ≤ 8.3.0

No auth needed

Prerequisites: Bio-Formats on classpath · attacker-controlled .bfmemo file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by George0Papasotiriou · poc

https://github.com/George0Papasotiriou/CVE-2026-22187-Bio-Formats-unsafe-Java-deserialization-via-.bfmemo

View Code ZIP pw:eip

This PoC demonstrates unsafe Java deserialization in Bio-Formats via .bfmemo files. It shows the code path where deserialization occurs but does not include a gadget chain or malicious payload.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Bio-Formats ≤ 8.3.0

No auth needed

Prerequisites: Bio-Formats library on classpath · Crafted .bfmemo file

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List technical-description exploit

https://seclists.org/fulldisclosure/2026/Jan/7

Various Sources product release-notes

https://docs.openmicroscopy.org/bio-formats/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files

Scores

CVSS v3 7.8

EPSS 0.0043

EPSS Percentile 63.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (2)

ome/pom-bio-formats 0Maven

openmicroscopy/bio-formats < 8.3.0

Published Jan 07, 2026

Tracked Since Feb 18, 2026