Description
Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
Published: 2026-01-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution and Denial of Service
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from unsafe Java deserialization of attacker‑controlled memoization cache files (.bfmemo) that Bio‑Formats versions up to and including 8.3.0 automatically load during image processing. Because the Memoizer class performs no validation, integrity checks, or trust enforcement, a crafted .bfmemo file can trigger the deserialization of untrusted data, leading to denial of service, logic manipulation, or, in the presence of vulnerable gadget chains on the classpath, remote code execution. The weakness is classified as CWE‑502.

Affected Systems

The affected product is Bio‑Formats provided by the Open Microscopy Environment. Versions up to and including 8.3.0 are impacted. The software is used in image‑processing pipelines on desktop and server environments that load biomedical image files.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious .bfmemo file that the application will load automatically, typically by providing a crafted image that triggers the deserialization path. No network‑based attack vectors are described, so the threat is mostly local or requires the attacker to place the file on a system that processes images with Bio‑Formats.

Generated by OpenCVE AI on April 18, 2026 at 07:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Bio‑Formats version 8.3.1 or later where unsafe deserialization of .bfmemo files has been removed or secured.
  • Prevent the library from loading memoization cache files by configuring the environment to delete existing .bfmemo files or setting permissions so that only trusted processes can create them.
  • Implement application‑level input validation to reject or tightly validate any .bfmemo files encountered during processing, ensuring only signed or integrity‑checked files are accepted.

Generated by OpenCVE AI on April 18, 2026 at 07:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qjm3-cvp9-3jj3 Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing
History

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Openmicroscopy
Openmicroscopy bio-formats
CPEs cpe:2.3:a:openmicroscopy:bio-formats:*:*:*:*:*:*:*:*
Vendors & Products Openmicroscopy
Openmicroscopy bio-formats
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
Title Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openmicroscopy Bio-formats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-01-07T21:34:15.949Z

Reserved: 2026-01-06T16:47:17.182Z

Link: CVE-2026-22187

cve-icon Vulnrichment

Updated: 2026-01-07T21:32:16.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:02.600

Modified: 2026-02-26T23:36:40.770

Link: CVE-2026-22187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses