CVE-2026-22187

Sažetak

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

Reference

https://docs.openmicroscopy.org/bio-formats/
https://seclists.org/fulldisclosure/2026/Jan/7
https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

07-01-2026 - 21:16

Objavljeno

07-01-2026 - 21:16