CVE-2026-22606
Misclassification Vulnerability in Fickling Enables Remote Code Execution
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | fickling | to 0.1.6 (inc) |
| trailofbits | fickling | From 0.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-22606 affects the Python package Fickling (versions up to 0.1.6), which is a pickling decompiler and static analyzer. Fickling fails to treat the Python 'runpy' module and its functions (like runpy.run_path() and runpy.run_module()) as unsafe. Because of this omission, malicious pickle files that use these runpy functions are only classified as 'SUSPICIOUS' instead of 'OVERTLY_MALICIOUS'. This misclassification can mislead users relying on Fickling to determine if a pickle is safe to deserialize, potentially allowing attacker-controlled code execution on the system when such a pickle is loaded. The root cause is an incomplete blocklist of unsafe imports. This vulnerability was patched in version 0.1.7 by adding 'runpy' and its functions to the unsafe imports blocklist. [1, 3]
How can this vulnerability impact me? :
If you use Fickling to vet pickle files before deserialization, this vulnerability can allow attackers to bypass security controls by crafting malicious pickle files that use the 'runpy' module to execute arbitrary code on your system. This can lead to remote code execution (RCE), enabling attackers to run attacker-controlled scripts or commands, potentially compromising your system's integrity, confidentiality, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by using the Fickling tool to analyze pickle files for unsafe imports, specifically looking for usage of the 'runpy' module and its functions such as runpy.run_path() or runpy.run_module(). For example, running the command `fickling --check-safety malicious.pkl` on suspicious pickle files can help identify if they are classified as SUSPICIOUS or OVERTLY_MALICIOUS. Prior to the patch, malicious pickles using runpy were only marked as SUSPICIOUS, so ensure you are using Fickling version 0.1.7 or later which correctly flags these as unsafe. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Fickling to version 0.1.7 or later, where the vulnerability has been patched by adding 'runpy' and its related functions to the unsafe imports blocklist. This update improves detection and prevents malicious pickles exploiting runpy from being misclassified. Additionally, avoid deserializing pickle files from untrusted sources until you have verified their safety with the updated tool. [2, 3]