CVE-2026-22607
Unknown Unknown - Not Provided
Misclassification Vulnerability in Fickling Enables Remote Code Execution

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22607
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
trailofbits fickling to 0.1.6 (inc)
trailofbits fickling From 0.1.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22607 is a security vulnerability in the Python package 'fickling' (versions up to 0.1.6), which is used to analyze and classify the safety of pickle files before deserialization. The vulnerability arises because fickling does not treat the Python module 'cProfile' and its functions like cProfile.run() as unsafe. This allows a malicious pickle file that uses cProfile.run() to be misclassified as only 'SUSPICIOUS' rather than 'OVERTLY_MALICIOUS'. Since cProfile.run() can execute arbitrary Python code strings, this misclassification can lead users to mistakenly trust and deserialize malicious pickles, resulting in arbitrary code execution on their systems. The issue was fixed in version 0.1.7 by adding cProfile and related functions to the unsafe imports blocklist. [3, 1]

Impact Analysis

If you rely on fickling to determine whether pickle files are safe to deserialize, this vulnerability can allow attackers to execute arbitrary code on your system by crafting malicious pickle files that use cProfile.run(). This can compromise any workflow or product that uses fickling as a security gate, including machine learning model validation pipelines, model hosting platforms, security scanning tools, and CI/CD pipelines. The attacker-controlled code execution can lead to system compromise, data breaches, or other malicious activities. [3]

Detection Guidance

This vulnerability can be detected by using the updated version of the tool 'fickling' (version 0.1.7 or later), which includes enhanced detection for unsafe imports such as 'cProfile'. Specifically, the tool analyzes pickle files for unsafe imports and flags those using 'cProfile.run()' as overtly malicious. A suggested approach is to run fickling's analysis on pickle files to detect suspicious or malicious payloads. For example, you can use the fickling command-line interface to analyze pickle files: `fickling analyze <pickle_file>`. This will flag unsafe imports including 'cProfile'. Additionally, the test case added in the fix uses a pickle payload that imports 'run' from 'cProfile' and executes code, which can be used as a detection pattern. There are no specific network commands provided, but scanning pickle files with the updated fickling tool is the recommended detection method. [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade fickling to version 0.1.7 or later, which includes the patch that adds 'cProfile' and its functions to the unsafe imports blocklist, preventing malicious pickles using 'cProfile.run()' from being misclassified as merely suspicious. Avoid relying on versions of fickling at or below 0.1.6 for security gating of pickle deserialization. Additionally, review workflows and products that use fickling as a security gate and ensure they are updated to use the patched version. If upgrading is not immediately possible, consider additional manual inspection or alternative security controls for pickle deserialization to prevent execution of attacker-controlled code. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart