CVE-2026-22612
Unknown Unknown - Not Provided
Detection Bypass in Fickling Python Pickling Decompiler

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22612
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
trailofbits fickling to 0.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22612 is a detection bypass vulnerability in the Python package 'fickling', which analyzes Pickle bytecode by converting it to an Abstract Syntax Tree (AST). The vulnerability arises because the tool deliberately omits AST import nodes for Python's built-in modules ('__builtin__', '__builtins__', 'builtins'), a behavior called 'builtins blindness'. Since these built-in imports are skipped, the security scanner cannot detect malicious imports of dangerous built-in functions that can execute arbitrary code. This allows attackers to craft pickle payloads that evade detection by hiding imports of modules like 'os' via the built-in '__import__' function, enabling execution of arbitrary commands without being flagged by the security analysis. The issue was fixed by changing the code to always emit AST import nodes for built-in modules, restoring visibility to the scanner and preventing such bypasses. [2, 3]

Impact Analysis

This vulnerability can allow attackers to bypass security detection mechanisms in the 'fickling' tool when analyzing Pickle bytecode. As a result, malicious pickle payloads that execute arbitrary code can evade detection, potentially leading to unauthorized code execution on systems that rely on 'fickling' for security analysis. This could compromise system integrity, confidentiality, and availability by allowing attackers to run harmful commands or scripts undetected. [2]

Detection Guidance

This vulnerability can be detected by analyzing pickle payloads for the presence of built-in imports that are normally omitted in the AST by vulnerable versions of fickling (≀ 0.1.6). Specifically, look for pickle payloads that use the built-in __import__ function to dynamically import dangerous modules like 'os' and execute system commands. Detection can be done by running the fixed version (β‰₯ 0.1.7) of fickling which emits explicit AST import nodes for builtins and flags unsafe imports. A test example from the fix uses a pickle payload that calls builtins.__import__('os').system('whoami'). While no direct commands are provided, using the updated fickling tool to analyze pickle files will detect such bypasses. [2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade fickling to version 0.1.7 or later, where the vulnerability has been patched. The patch ensures that import AST nodes for built-in modules are emitted explicitly, preventing bypasses of the security analysis. Additionally, reviewing and blocking untrusted pickle data inputs can reduce risk. Using the updated version of fickling will restore detection of malicious pickle payloads that exploit built-in import bypasses. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22612. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart