Java
CVE-2026-22187
HIGH
GHSA-qjm3-cvp9-3jj3
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
AnalysisAI
Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker-controlled .bfmemo file must be co-located with target image file in same directory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to denial of service, logic manipulation, or potentially remote code execution in e. |
| Remediation | Monitor vendor advisories for a patch. Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate
Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today