๐Ÿ” CVE Alert

CVE-2026-14534

HIGH 8.8

Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

CWE CWE-184 CWE-502
Vendor trailofbits
Product fickling
Published Jul 4, 2026
Stay Ahead of the Next One

Get instant alerts for trailofbits fickling

Be the first to know when new high vulnerabilities affecting trailofbits fickling are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

trailofbits / fickling
0 โ‰ค 0.1.10

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697 github.com: https://github.com/trailofbits/fickling/pull/272 github.com: https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af github.com: https://github.com/trailofbits/fickling/releases/tag/v0.1.11

Credits

Christopher Aziz (Bombadil Systems LLC)