Share
## https://sploitus.com/exploit?id=77C08396-8631-54B6-8066-72D7765488BD
# CVE-2026-22187-Bio-Formats-unsafe-Java-deserialization-via-.bfmemo
Bio-Formats โ‰ค 8.3.0 performs unsafe Java deserialization of attacker-controlled .bfmemo cache files during image processing; crafted .bfmemo can trigger deserialization of untrusted data (DoS/logic manipulation; potentially RCE if gadget chains exist).

Safe reproduction (local-only)
This does NOT build a gadget chain or execute code. It only shows that .bfmemo gets deserialized for demonstration purposes.

# In a controlled lab where you have Bio-Formats on classpath
javac -cp bioformats_package.jar DemoMemoizer.java
java -cp .:bioformats_package.jar DemoMemoizer ./sample.tif

This is appropriate for education because it demonstrates the unsafe deserialization surface without malicious use.