CVE-2026-22187 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Bio-Formats component of the Open Microscopy Environment project. Bio-Formats is widely used for reading and writing life sciences image file formats. The vulnerability arises because the loci.formats.Memoizer class automatically loads and deserializes memoization cache files (.bfmemo) associated with images without performing any validation, integrity checks, or enforcing trust boundaries. Since Java deserialization can execute arbitrary code if maliciously crafted serialized objects are processed, an attacker who can supply a specially crafted .bfmemo file alongside an image can exploit this to cause denial of service, manipulate program logic, or potentially achieve remote code execution if the runtime environment contains exploitable gadget chains on the classpath. The attack vector requires the attacker to have the ability to place or influence the .bfmemo file used during image processing, and user interaction is needed to open or process the image. The CVSS 4.0 base score is 6.8 (medium), reflecting local attack vector, low complexity, no privileges required, but user interaction needed and limited scope impact. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant in environments where Bio-Formats is used to process images from untrusted or external sources, such as collaborative research, medical imaging, or bioinformatics pipelines.

For European organizations, particularly research institutions, universities, hospitals, and biotech companies using Bio-Formats for microscopy image processing, this vulnerability poses a risk of service disruption, data manipulation, or potentially full system compromise if exploited. Denial of service could interrupt critical image analysis workflows, impacting research timelines or clinical diagnostics. Logic manipulation could lead to incorrect scientific conclusions or medical decisions. Remote code execution, although conditional on environment specifics, could allow attackers to execute arbitrary code, potentially leading to data breaches or lateral movement within networks. Since Bio-Formats is used in specialized scientific and medical contexts, the impact extends beyond IT systems to potentially affect patient care and scientific integrity. The requirement for local file supply and user interaction limits remote exploitation but does not eliminate risk in collaborative or multi-user environments where untrusted files may be introduced.

European organizations should implement strict input validation and file handling policies to prevent untrusted .bfmemo files from being processed. Disable or restrict the use of memoization cache files if possible, or modify the Bio-Formats configuration to avoid automatic deserialization of these files. Employ sandboxing or containerization for image processing workflows to limit the impact of potential exploits. Monitor and audit file sources rigorously, especially in collaborative environments where external data is imported. Keep abreast of updates from the Open Microscopy Environment project and apply patches promptly once available. Consider implementing application whitelisting and runtime application self-protection (RASP) to detect and block suspicious deserialization activities. Educate users about the risks of opening untrusted image files and associated cache files. Finally, review and harden Java runtime environments to minimize available gadget chains that could be leveraged for remote code execution.